How South Dakota's BIT defends against cyber threats
ProjectDocumentation_EBelshaw
1. Running head: Request for Proposals 1
REQUEST FOR PROPOSALS
FOR
INFORMATION SECURITY ASSESSMENT SERVICES (ISAS)
A COMPREHENSIVE PROJECT
SUBMITTED TO THE
INFORMATION SYSTEMS SECURITY PROGRAM
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS
FOR THE BACHELOR'S DEGREE
by
STUDENT NAME
ELIANE BELSHAW
ADVISOR - PROFESSOR DOYLE WILLIAMS
ITT TECHNICAL INSTITUTE
ONLINE PROGRAM
SEPTEMBER, 2015
2. Request for Proposals 2
Contents
Review of the Firm's Qualifications ............................................................................................... 4
Phased Project Approach and High-Level Project.......................................................................... 6
Negative Gap Addressing ........................................................................................................... 8
Services Budget........................................................................................................................... 9
RFP Clarification Question........................................................................................................... 10
Review of Requirements and Clarification Questions .................................................................. 12
Project Plan Modifications Based on Clarifications Answered .................................................... 15
Business Impact Analyzes ........................................................................................................ 17
High-Level Description Of Current Client's Need........................................................................ 18
It Security Policy Framework/RFP Requirements Worksheet ..................................................... 21
RFP Requirements Worksheet.................................................................................................. 21
It Security Compliance and Governance Gap Analysis Worksheet ............................................. 23
Solutions to Solve Our Firm Gaps Issues and Cost .................................................................. 23
Benefits of Your Recommendations............................................................................................. 24
Mitigation Recommendations to Address Identified Gaps ....................................................... 24
Privacy Data Security Gaps Worksheet........................................................................................ 25
Privacy Data Security Gap and the Importance of Mitigating Them ....................................... 25
Mitigate Identified Privacy Data Security Gaps Worksheet......................................................... 27
Security Gaps in Data Security, Mitigation Suggestions, and Suggestions to Include these
Services in the RFP - Explanatory Worksheet with Project Cost............................................. 27
Privacy Data Security Gap Mitigation recommendations Worksheet .......................................... 29
Mitigation Control Recommendations for Privacy Data Security Gap .................................... 29
Project Plan - Security Assessment Worksheet ............................................................................ 31
Security Assessment and Mitigation Plan for the Workstation and System/Application
Domains, Including Project Cost .............................................................................................. 31
Procedure to Conduct a Security Assessment and Risk Identification ......................................... 34
Security Program: Plan of Action fo the Risk Mitigation Plan for the Workstation and
System/Application Domains ................................................................................................... 34
Risk Assessment Project Plan Definition ..................................................................................... 38
Qualitative Risk Assessment Analyzes and Project Cost ......................................................... 38
Data Security Mitigation Actions Based on Qualitative Risk Assessment................................... 42
Proposed Mitigation Plan Based on the Qualitative Risk Assessment ..................................... 42
Risk Prioritization and Mitigation Project Plan Definition........................................................... 46
Risk Mitigation by Risk Priority and Project Cost ................................................................... 46
3. Request for Proposals 3
Risk Mitigation Actions Based on Qualitative Risk Assessment's Risk Prioritization ................ 49
Explanation Why the Countermeasure is a Priority, How to Achieve Best Results, and How to
Document Actions and Results................................................................................................. 49
BCP Outline and Table of Contents as per BIA ........................................................................... 55
BIA for the Main Business Functions and Presentation of a Summary of BCP for this
Company................................................................................................................................... 55
DRP Outline Creation, Table of Contents, and Estimation of BIA Performance......................... 66
Execution Details About the BCP and DRP Plans and Their Costs ......................................... 66
Phased Project Approach and High-Level Project Plan Including Prioritized Security Controls 70
Prioritized Security Controls Designed for IT Infrastructure Domains and their Costs ........... 70
Layered Security Solution Response Report ................................................................................ 75
Description of the Security Controls According to each IT Infrastructure Domain................. 75
Layered Security Solution Executive Summary ........................................................................... 78
Work Cited.................................................................................................................................... 80
4. Request for Proposals 4
Review of the Firm's Qualifications
Our Firm has applied to participate in the Request for Proposal (RFP) because
we believe that we can provide efficient services and products that will satisfy this
company's needs as they arise. As soon the needs appear, our collaborators use the
available tools, under the available budget, using their top expertise, to obtain the best
result that best fit to the situation. We do not under or over estimate any event under our
supervision, every event has a assessment analysis according to its cause and effect. It
is our concept of efficiency, and we cherish by our history of efficient relationship with
our clients. Each client deserves a personalized plan.
According to the requirement in the RFP, following we present the company
capabilities and conditions to fulfill these requirements:
Minimum of five years of business establishment: Our firm was formed in
2002, and became a complete security service provider in 2006.
Reported annual gross sales of at least one million US dollars: Our firm's
annual gross income are currently 1.6 million US dollars.
Present reference of three similar services provided to other companies
within the last three years: The last four years we won four major contracts that
are similar to this RFP, and the references and some non-confidential details of
the contract you can find attached to this paper in the section Index A.
Must have at least one person who holds a primary rule in the contract that
holds a CISSP, CISM or equivalent security certification: We have eight
persons designed to work in this contract in case we award the RFP with the
5. Request for Proposals 5
following designations: five hold CISSP certifications, four hold CISM, four hold
GIAC-GSEC, and six hold other GIAC's.
Cannot have any activity or contract providing service or product with any
other agency of this state: All of our contracts are with the Federal
Government, other states, or private companies out of the states. Currently, we
do not have any contract in force within this state.
Must maintain at least one permanent office in this state: Currently, we are
operating in a temporary office. However, if we are awarded this RFP we will
establish a permanent local office that is more convenient for our operation.
Must provide samples of previous reports on other clients: Please, find
attached in section Index B, samples of other client reports with the same needs
of this company. For confidential reasons, sensitive information was omitted.
o Vulnerability Assessment and Penetration Test are the most requested
service in our contracts. It is the reason that they are in great quantity.
o Risk Assessment, Business Continuity Plan, and Disaster Recovery Plans
are plans that usually are neglected by our clients. Even under our strong
recommendations. In our collaborators resume, can be found their large
experience with RA, BCP, and DRP. See attached in section Index C.
Source code review: currently, our firm does not offer this service, however, we are
interviewing professionals that can be a good match for our team, so we can award this
RFP and provide you with a high quality of service.
6. Request for Proposals 6
Phased Project Approach and High-Level Project
Our Firm is a security services provider that has been in the information system
security field since 2002. We are proudly providing security for several companies in
different sectors public and private. We assist companies and federal and state
agencies to provide security to their information systems and achieve compliance goals
successfully. With the same determination, we present our proposal to this RFP in order
to be rewarded with the chance to provide good services to this company.
According to the Request for Proposal (RFP) requirements, following, we present
our answers, and we are available any time for your convenience, if any questions
arise.
Must be in business for at least the last five consecutive years: Our firm was
formed in 2002, and became a complete security service provider in 2006.
Report annual gross sales of at least one million U.S. dollars: Our firm's
annual gross income are currently 1.6 million US dollars.
Present at least three references of previous engagements—within the last
three years—that are materially similar to the requirements contained in
this document: The last four years we won four major contracts that are similar
to this RFP, and the references and some non-confidential details of the contract
you can find attached to this paper in the section Index A.
Must have at least one person who will be a primary participant in
delivering products and services who holds a Certified Information
Systems Security Professional (CISSP), Certified Information Security
7. Request for Proposals 7
Manager (CISM), or equivalent security certification: We have eight persons
designed to work in this contract in case we award the RFP with the following
designations: five hold CISSP certifications, four hold CISM, four hold GIAC-
GSEC, and six hold other GIAC's.
Cannot have any active managed security service provider contracts with
any other agency of this state: : All of our contracts are with the Federal
Government, other states, or private companies out of the states. Currently, we
do not have any contract in force within this state.
Must maintain at least one permanent office in this state: Currently, we are
operating in a temporary office. However, if we are awarded this RFP we will
establish a permanent local office that is more convenient for our operation.
Must provide samples of previous reports for other clients, sensitive
information omitted, that contain three of the following activities: Please,
find attached in section Index B, samples of other client reports with the same
needs of this company. For confidential reasons, sensitive information was
omitted.
o Risk assessment: This plan is one of the plans that is usually neglected
by our clients. Even under our strong recommendations. In our
collaborators resume, can be found their large experience with RA plan.
See attached in section Index C.
o Vulnerability assessment : One of the most requested services in our
contracts.
o Penetration test: One of the most requested service in our contracts.
8. Request for Proposals 8
o Source code review: See the regular report together with the companies
reports.
o Business Continuity Plan/Disaster Recovery Plan (BCP/DRP): These
plans are plans that are usually neglected by our clients. Even under our
strong recommendations. In our collaborators resume, can be found their
large experience with BCP, and DRP. See attached in section Index C.
Negative Gap Addressing
Risk Assessment, Business Continuity Plan/Disaster Recovery Plan Plans: Even
if we do not have recent reports to present in these three areas: RA, BCP and
DRP plans, our professionals are completely capable of performing these
activities at any level of security environment. Their certifications and
qualifications are registered in their resume, and they are available any time at
your convenience for further questions that you deem necessary.
At the moment, we do not have a professional to perform review source code,
however, we are going through a process interviewing professionals to fit our
security team with source code review and SDLC assessment expertise.
9. Request for Proposals 9
Services Budget
Item Description Value
01 8 collaborators with certifications: 5 holding CISSP certifications
- 4 holding CISM certifications - 4 holding GIAC-GSEC, and 6
holding other GIAC's certifications.
$450,000.00
02 New collaborator to perform source code review $50,000.00
03 1 permanent office in this state $650,000.00
04 Vulnerability assessment samples report $30,000.00
05 Penetration test samples report $30,000.00
06 Source code review report $30,000.00
07 Business Continuity Plan/Disaster Recovery Plan No cost
08 Risk Management Plan No cost
TOTAL $1,240,000.00
10. Request for Proposals 10
RFP Clarification Question
By scientific research, the information system security scientists concluded that
the human being is the weakest link in the security chain of the information system. For
this reason, several systems have fallen prey due to neglect by humans, from
operations to top manager. For this reason, and the sake of this project, and also, to
clarify further doubts we would like to present a few questions for this company
Request for Proposal (RFP).
After the end results of the RFP, how long will it take to start the work
operations?
How the contract will be measured and paid?
Is the RFP awarded going to start a new information security project? Or are they
going to join an ongoing project with other collaborators?
Will there be a manager with the capability to make decisions to work with the
security team to support its decisions?
Is Creation of Security Policies and personal training included in the project?
Is Social Engineering awareness and training included in the project?
Is the company willing to give information and access to the system necessary
for the RFP awarded to perform its work without obstacles?
These points of clarifications are very important, the success of the project
depends on them. Without the collaboration of both parts, and the training and
awareness of the system's users about their responsibility to maintain the system
11. Request for Proposals 11
security, and the support of the top management, it is impossible to obtain success in
an Information System Security Project.
12. Request for Proposals 12
Review of Requirements and Clarification Questions
It is normal in a RFP, when a question is answered, many other questions
appear. However, one important goal is to learn if the contracting company has the
same work principal that our company has, and if we are going to work in a
collaborative environment to achieve our objectives. Another main goal of our
investigation is to gather as much information to learn about the job, in order to ensure
that our company is able to provide excellent services and products. And also, ensure
that nothing would be misunderstood or neglected.
At first analysis, the follow questions were asked:
After the end results of the RFP, how long will it take to start the work
operations?
After the results of the RFP, we are going to meet with the rewarded company in
fifteen days to sign the contract and finalize the agreement. If everything is in
place, the operations will start in sixty days after the signature of the contract.
How will the contract be measured and paid?
Following the pre-determined schedule, on the given date, our auditors will
analyze if the work is completed according to schedule; if yes, the work will be
paid proportionally for the work completed. If the work did not follow the
schedule, the company will not be paid and they will suffer penalties, according
to the contract.
Is the RFP awarded going to start a new information security project? Or are they
going to join an ongoing project with other collaborators?
13. Request for Proposals 13
We need a complete new proposal for our system security. However, we have
few information system security professionals that are going to join the rewarded
company security team in order to work together in this project.
Will there be a manager with the capability to make decisions to work with the
security team to support its decisions?
We have not planned for this possibility, however, we can further discuss this
subject in the Bidder's Conference.
Is Creation of Security Policies and personal training included in the project?
Creation of Policies is included in the project, however, the training of personal
phase needs to be discussed with the management team. We are going to
provide you with complete answers at the Bidder's Conference.
Is Social Engineering awareness and training included in the project?
This subject needs to be discussed with the management team. We are going to
provide you with complete answers at the Bidder's Conference.
Is the company willing to give information and access to the system necessary
for the RFP awarded to perform its work without obstacles?
For the sake of this company, it is our interest to collaborate and joint venture
with the rewarded company of this RFP. Therefore, the rewarded company can
count on our support and collaboration for the success of this project.
It is very normal for a non-security professional to ignore the dangers humans
may present for the information security system. Also, they do not believe that it is worth
spending money training personnel, defending the system against human bad-usage,
and so forth. However, a chain is only as strong as its weakest link and if the users of a
14. Request for Proposals 14
system are weak, and have weak user habits, the system will be as weak as the users.
Even if the security system team created an incredible security program. It is very
serious because it can reflect on our company.
We cannot think only about money, for example, if we work for a company that
does not follow our recommendations and they do not have success. This company will
tell everyone that we did not perform a good job. Probably, they will not tell anyone that
they failed because they did not follow our recommendations. At the end, it will be a bad
score for the company's reputation. It is one of the reasons that it is very important to
ensure that the company will understand the importance of our recommendations.
15. Request for Proposals 15
Project Plan Modifications Based on Clarifications Answered
During the Bidder's Conference, there was a great opportunity to clarify doubts
and accomplish details with the original RFP. Our company would like to express our
gratitude to this company for the excellent meeting. Also, if allowed, we would like to
use this opportunity to present our suggestions and explanations to improve this project
in order to achieve better results in securing this company's information system. In
addition, these suggestions would assist any RFP rewarded company to complete the
project with efficiency.
At this moment, this company does not believe it is necessary to train the
information system users on Security Policies and Social Engineering Hazards.
However, based on our experience, we advise that it is crucial for the complete success
of the project that the company personnel is aware of their responsibilities and their
rules within the whole system. As mentioned in prior documentation, human beings are
the weakest link of the information system security link. For this reason, we need to
work on this point to achieve strength in our final result.
To demonstrate the risks that the users are exposed to, we are going to present
examples of some attacks that depend on an individual's actions, and personal sites.
Many people would say that it would not happen in a company environment. However, it
happens a great deal in companies' environment and compromises the whole system,
due to a lack of employee awareness.
Click jacking: When a social networking site user clicks on the site's
advertisement that most of the time has malware. This malware
16. Request for Proposals 16
contaminates the user's network or may send the user's ID to other sites,
and that may result as Spam or DoS attack.
Cross-site Scripting (XSS): Is an attack on web applications that injects
malicious script in the database with the objective to perform attacks on the
web site user. Also, through an infected webpage, the attacker is able to
gather confidential information from the user.
Elicitation: The strategy of using conversation to extract information from
people without giving them the feeling that they are being interrogated. It can
happen in an information chat, on the company's website.
Pharming: Redirecting a user from legitimate websites to fraudulent ones.
Phishing: Usually an email that looks like it is from a legitimate organization
or person, but is not, and contains a link or file with malware.
Phreaking: Gaining unauthorized access to telecommunications systems.
Scams: Fake deals that trick people into providing money, information, or
service in exchange for the deal.
Sometimes, malware can be only annoying, and as soon it is cleaned from the
system everything is back in place. However, the impact on the business may be small
to severe, depending on the attacker and the target of the attack. Next, we present the
main business impact in the case of a successful attack:
17. Request for Proposals 17
Business Impact Analyzes
Business
Function
Critical
Business
Function
Impact
Value
Level
Maximum
Acceptable
Outage
Risks, Threats, and Vulnerabilities
DMZ - Protection Yes Level 1 Two hours Hacker attacks, company website, close to
the company's main system.
System/Database -
Sales,
Payable/Receivabl
e, Client
Information, etc
Yes Level 1 Two hours These systems can be attacked by hackers,
after getting a user's password gaining
system access using a key logging attack.
The software is installed through a click
jacking attack.
Real time
customer service -
Access to the
system
Yes Level 1 Two hours Constantly scan the system, database,
website, etc to verify code injection (XSS
attack). Verify if the clients are not being
redirected to other fake sites, thus, they can
have real time communication with the
company.
Support Central
for clients
Yes Level 1 Two hours Ensure the 24/7 availability for the client,
having a dedicated link and the personnel
are trained to avoid attacks to the network.
Website for
customer access
Yes Level 1 Two hours This function, and other network and internet
functions, such as email, client chat, etc have
high level priority. Because of this, it is
necessary to have tools such as IDS, port
scanners, network firewall, among others to
detect and stop intruders in the network,
before any damage takes place.
It is very easy for system users to be comfortable and forget the rules and
responsibilities in using the company's information system. For this reason, it is
fundamental for the training to make them aware of internet dangers. In addition,
making them responsible for their actions, therefore, they will start paying more
attention to their actions and helping to protect the system.
18. Request for Proposals 18
High-Level Description Of Current Client's Need
To Whom It May Concern,
Dear Clients,
For our clients, our mission is to provide reliable services, a good cost, with
better time than the competition, according to the local law and compliance
determinations. Therefore, our main objective is to maintain a high end system that is
capable of providing in a short period of time and with assertiveness, a security
information system to our clients and their employees to work with peace of mind and
reliability. In this way, we can achieve our main goal to guarantee the availability,
confidentiality and integrity of the data and the system.
According to our observations, following we present our work proposal that we
believe will fulfill this company needs, managing and providing a secure information
system:
Develop a Qualitative Risk Assessment
o Identify the IT assets and their values in the organization.
o Identify threats and vulnerabilities to these assets.
o Identify the probability that the risk will occur.
o Identify the impact of a risk.
o Identify the usefulness of a safeguard or control.
o Identify the key roles and responsibilities for individuals and departments
within the organization as they pertain to RA.
19. Request for Proposals 19
o Develop a proposed schedule for the RA process.
Develop Penetration Test
o Planning expected and non-expected penetration test to evaluate the
response ability of the security team.
Develop Source code Review
o Develop program with a team specializing in SDLC in order to have a
better work flow.
Risk Mitigation Plan
o Determine the Users Policies, training, and reinforcement policies.
o The principle of least privilege should be adopted.
o Frequently monitor the user’s access, downloading and uploading, using
software to monitoring the system.
o Ensure that the users are aware of their responsibilities with the system
and the consequences of violations.
o Create a system of redundancy with back up.
o Maintain a recovery plan in order to guarantee the availability of the
system.
o Create physical security, such as a locked room for the network
equipment and servers with biometrical access points. Install video
camera monitoring. Also, have fire extinguishers at strategic points and
train the employees on how to use them.
o Determine Social Engineering awareness and training, frequently.
Business Impact Analysis Plan
20. Request for Proposals 20
Business Continuity Plan
o Server and Database
o Backup System
o Hot Site
Computer Incident Response Team Plan
o This team is divided by expertise in order for each one to be prepared to
respond as soon as possible in the case of a fault in the system.
Any questions or further explanations about our problem solving suggestions
presented in this proposal, that you may have, please, do not hesitate to contact us. It is
our pleasure to clarify any doubts and also take any suggestions that you may have to
accomplish our work.
It has been our pleasure to work with your company in this RFP.
Respectfully
Our Company.
21. Request for Proposals 21
It Security Policy Framework/RFP Requirements Worksheet
The goal of Our Firm is to reach beyond a company's expectations to achieve the
objective that becomes a common mark: securing the company's information system
and have it work with efficiency and have the environment under the principles of
confidentiality, integrity, and availability.
Following we present our answer for the RFP requirement:
RFP Requirements Worksheet
RFP Requirement Existing Control(s)
Must be in business for at least 5
consecutive years
Our firm was formed in 2002, and became a
complete security service provider in 2006
Must have at least one person who will be a
primary participant in delivering products
and services who holds a CISSP, CISM, or
equivalent security certification.
We have eight persons designed to work in this
contract. in case we are awarded the RFP, with
the following designations: five hold CISSP
certifications, four hold CISM, four hold GIAC-
GSEC, and six hold other GIAC's.
Cannot have any active managed security
service provider contracts with any other
agency of this state.
All of our contracts are with the Federal
Government, other states, or private companies
out of the states. Currently, we do not have any
contracts in force within this state.
Must maintain at least one permanent office
in this state.
Currently, we are operating in a temporary office.
However, if we are awarded this RFP we will
establish a permanent local office that is more
convenient for our operation.
Sample recent report of Risk Assessment This plan is one of the plans that is usually
neglected by our clients. Even under our strong
recommendations. In our collaborators resume,
can be found their large experience with RA
plans
Sample recent report of Vulnerability
Assessment
One of the most requested services in our
contracts.
Sample recent report of Penetration Test One of the most requested services in our
contracts.
Sample recent report of Source Code
Review
We had previous experience in this area,
however, at this moment we do not have
professionals to perform this task. We are
22. Request for Proposals 22
performing a recruiting process to contract a
professional to fit our team.
Sample recent report of Business Continuity
Plan/Disaster Recovery Plan (BCP/DRP)
These plans are plans that are usually neglected
by our clients. Even under our strong
recommendations. In our collaborators resume,
can be found their large experience with BCP,
and DRP.
As presented before, the Mitigated Plan, that is not included in the RFP
requirement is highly recommended by our team. Because the Mitigated Plan is a form
to change the culture of the company employees, in addition to anticipate potential
vulnerabilities, threats, risks, and attacks. In this way, this plan can avoid many threats
and vulnerabilities caused due to the users actions.
23. Request for Proposals 23
It Security Compliance and Governance Gap Analysis Worksheet
In the last report, we identified a few gaps that need to be addressed in order for
Our Firm to be prepared to work with this company in the project presented in the recent
Request for Proposal. Following, we will present a table with the description and the
cost to solve these gaps and set Our Firm in a complete position to better serve this
company in all its needs and future needs for the security project according to the RFP.
Solutions to Solve Our Firm Gaps Issues and Cost
Task
Number
Task Description Required Resources Cost Duration
0001 Establish local office Rent a physical office, and
pay month utilities.
30,000.00 6 months
0002 Establish local office Furnish office, purchase
equipment, and so forth
30,000.00 2 weeks
0003 Establish local office and
work tools
Create secure network,
software, applications,
security tools, applications,
and so forth.
10,000.00 1 week
0004 Contract a Professional to
perform Source Code
Review
Perform recruiting process to
contract a professional to fit
our team
50,000.00 6 months
0005 Source code review report Retrieve report from contract
5 years old or later
1,000.00 2 weeks
TOTAL 121,000.00
For a contract for a period of six months, Our Firm will have a cost of
US$121,000.00 (One hundred, twenty one thousand dollars) to establish a local office,
prepare the office with equipment and tools necessary for the team to perform their
work, and contract a new collaborator to perform the source code review tasks.
24. Request for Proposals 24
Benefits of Your Recommendations
To be more specific addressing the gap identified previously, below, Our Firm
describes what domain the assets belong to and the recommendations to be taken in
order to have our IT infrastructure ready for our IT security operations.
Mitigation Recommendations to Address Identified Gaps
Identified Gap (RFP
Requirement)
Mitigation Recommendation
Domain (IT
Infrastructure)
Establish a local office Strategic location to access client physically
and logically
Best cost/benefit for the company
accommodations
LAN-to-WAN
Domain
LAN Domain
Establish a local office Strategy to negotiate with a vendor able to
supply all the equipment with a better market
price, such as:
o Computers
o Servers, etc
Workstation
Domain
LAN Domain
Establish a local office
and work tools
Create the office network and secure it. Using
equipment such as:
oRouters and Firewalls
oInstall VPN connection with the client
Install:
oSoftware, applications, and security tools.
LAN-to-WAN
Domain
Remote Access
Domain
System/Application
Domain
Contract a Professional
to Perform Source
Code Review
Contract a professional recruiting agency and
check the professional references.
User Domain
Source code review
report
Research the clients contract to identify what
clients we provided with source code review
services in the past. Retrieve the information
from our labeled and dated backup system.
LAN Domain
In this report, we present a brief explanation on how to solve the issues that
would place our company in a better position to participate in this Request for Proposal.
As you can see, these are gaps that where Our Firm will utilize our technical resources
and capacity to solve these issues in a few days.
25. Request for Proposals 25
Privacy Data Security Gaps Worksheet
After working with several companies addressing their needs to be compliant
with the law due to the fact of storing Personal Identifiable Information - PII, Our Firm
developed methods to analyze a system and verify if it is compliance with the law.
Usually, if the system is not compliant, it is not secure, either. After our brief analysis,
following we present our report. We would like to inform you that when we are working
closer, more details can be included in our report.
Privacy Data Security Gap and the Importance of Mitigating Them
Privacy Data Security Gap Exposure Explanation Mitigation Importance
Lack of usage policies There is no guide on how to
utilize the company's
equipment and intellectual
property, such as a data
base.
Avoiding an employee from
bringing a flash drive inside
the company and taking it
out with confidential data on
it.
Lack of employees education
programs
The system users are not
aware of the security needs
and the internet dangers
Avoiding Social Engineering
attacks, bad system usage,
and so forth.
Lack of a DMZ The real servers and
systems are on the attack
front.
Create a fake front for the
attackers, giving the IT
team, time to avoid,
mitigate, or accept the
attack according to its
impact to the system.
Lack of passwords to access
Personal Identifiable
Information - PII stored data
Anyone with access to the
network is able to access
the personal information for
the clients stored in the
company's database
The Law regulates that the
PII information can be
released only with the
person's authorization. The
company can be punished if
the clients' information were
leaked and it is proved that
it is lack of security on the
company's end.
Lack of encryption on the data
stored, on the backup data,
If the network is invaded
and the data is not
If the data is in an encrypted
mode, even if the data is
26. Request for Proposals 26
and data transmitted encrypted, the attackers will
have easy access to the
clients' information
stolen, it can take several
years to be decrypted, most
of the time the attackers do
not have interest in
encrypted data.
Everyone has access to the
clients' database
Loss of control of data base
access.
The database must be
monitored and controlled.
Limiting the access only to
whom really needs to work
with the information.
The users share their
password with each other
It avoids the password
monitoring and controlling,
and becomes impossible to
apply the policy of
responsibility action
Help to monitor the users
activity on the system.
Lack of monitoring and
network test
It is difficult to follow and
check on strange behavior
on the network and verify
vulnerabilities on the
network
Find and avoid attacks as
soon as they happen, and
find vulnerabilities before
the attackers find them.
Clients' information is precious for a company. It is the reason that hackers
around the world have been after databases of several big corporations. They always
think that it is not going to happen with them. It does not matter the size of the company,
what matters is that every company has human beings working for them, and they
neglect the fact that the human being is the weakest link of the security chain. Even if
you are a big corporation and have millions of dollars to spend with security.
27. Request for Proposals 27
Mitigate Identified Privacy Data Security Gaps Worksheet
In this phase of the Request for Proposal - RFP, Our Firm is presenting in this
report, actions that are fundamental for the success of this project. However, these
procedures are not implemented in this company's operational routine. In addition,
these services are not included as a contracted service in the RFP. For this reason, we
included them in our Privacy Data Security Gap Worksheet.
Security Gaps in Data Security, Mitigation Suggestions, and Suggestions to
Include these Services in the RFP - Explanatory Worksheet with Project
Cost
Task
Number
Task Description Required Resources Cost Duration
0001 Lack of usage
policies
Our professional expertise
in creating policies
$5,940.00 1 week
0002 Lack of employees
educational
programs
Our up to date training
material in Social
Engineering and other
Cloud dangers
Company's Policies
training material
Location for employees
training
4 days availability of the
crew
$23,760.00 for
training
material and
professional
fees
1 week to
prepare the
training
4 weeks to
train the crew.
Training 25%
of the
employees per
week.
0003 Lack of a DMZ Our professional expertise
in setting up network
2 Firewalls
1 Switch
Server: Web, DNS, Proxy,
VPN
Raid 10
Backup System
No-breaks, cables, and
$5,261.80 for
the equipment
$3,240.00 for
professional
fees
3 days
28. Request for Proposals 28
other equipment
0004 Lack of passwords
to access Personal
Identifiable
Information - PII
stored data
Our professional expertise
in secure private database
list with a profile of
employees allowed to
access the clients'
personal information
database
Biometric finger print
reader
$2,160.00
professional
fees to profile
the employees
allowed to
access the
database and
create the list
$80.00 for the
equipment
2 days
0005 Lack of encryption
on the data stored,
on the backup data,
and data transmitted
Our professional expertise
in encryption
Plan for encryption
Designing and training a
team responsible for
encrypting and decrypting
the company's information
$11,880.00 2 weeks
0006 Everyone has
access to the clients'
database
Our professional expertise
in Active Directory UO
Group Policies (The client
uses Windows server)
Plan the company domain
and UO
Design users' policies
Active Directory UOGP
$4,320.00 4 days
0007 The users share
their password with
each other
Our professional expertise
in training employees in
information system
security
It is included in
the training
program
TOTAL $56,641.80 5 weeks
Presented in this table and in the previous table that we sent to this company,
you can see the importance of implementing these measures in order to mitigate risks
and threats to your information system.
29. Request for Proposals 29
Privacy Data Security Gap Mitigation recommendations Worksheet
In the privacy data security matters, this company did not present detailed
requirements in the Request for Proposal. However, we were able to find this
company's concern for data privacy in Item A.10.a page 16 of the contract. For this
reason, as part of the security project, data privacy security, cannot be neglected. Thus,
following, we presented a summary of our ideas to protect the clients' private
information:
Mitigation Control Recommendations for Privacy Data Security Gap
Privacy Data Security Gap Mitigation Control Addresses RFP Requirement
Lack of usage policies Creation of security policies:
equipment and system
usage policies, security
policies, AD policies, and so
forth.
Special data handling, such as
confidentiality - Item A.10.a of
the contract.
Lack of employees
educational programs
Extensive training of all
personnel in securities
policies.
Ensure that the employees
understand the importance
of equip and system usage
policies, responsibility action
policies, and the importance
to avoid social engineering
and the dangers of the
cloud.
Special data handling, such as
confidentiality - Item A.10.a of
the contract
Lack of a DMZ Create a fake front for the
attackers, giving the IT team,
time to avoid, mitigate, or
accept the attack according
to its impact to the system.
Special data handling, such as
confidentiality - Item A.10.a of
the contract
Lack of passwords to access
Personal Identifiable
Information - PII stored data
Restrict access to the
clients' personal information
only for the personnel that
really need to accomplish
Special data handling, such as
confidentiality - Item A.10.a of
the contract
30. Request for Proposals 30
their day-to-day work. And to
access to the database, it is
necessary a personal
password.
The clients database must
be accessed through a
password and fingerprint
reader.
Lack of encryption on the data
stored, on the backup data,
and data transmitted
The clients' personal
information must be stored,
transmitted, and backed up
only in encrypted mode. If
the data is intercepted or
stolen, it will be protected
against reading.
Special data handling, such as
confidentiality - Item A.10.a of
the contract
Everyone has access to the
clients' database
Restrict access to the clients'
personal information
implemented the Active
Directory UO Group Policy.
Through this system, it is
possible to improve secure
controls to the network and
the users.
Special data handling, such as
confidentiality - Item A.10.a of
the contract
The users share their
password with each other
This must be eliminated and
tracked through the new
system and monitoring. The
employees will be advised
that this behavior will not be
accepted any more.
Special data handling, such as
confidentiality - Item A.10.a of
the contract
With this project, our goal is to avoid clients' information leakage. Because when
we work with educating the employees, and eliminating their changes to breach the
system, we are transforming the weakest link of the chain, into a stronger link.
Consequently, the whole system will be stronger.
31. Request for Proposals 31
Project Plan - Security Assessment Worksheet
In this phase of the Request for Proposal - RFP, following, we performed the
security assessment and we provided suggestions to mitigate the vulnerabilities. As
suggested in the RFP, our only focus was on the Workstation and the
System/Application Domains.
Security Assessment and Mitigation Plan for the Workstation and
System/Application Domains, Including Project Cost
Task
Number
Task Description Required Resources Cost Duration
Work Station Domain
0001 Create Company's Security
Policies: equipment and system
usage, AD UOGP, internet
security policies, password
policies, email policies, and so
forth
Our professional
expertise in creating
policies
$5,940.00 1 week
0002 Personnel Training: knowledge
on the company's security
policies, and on the hazards of
social engineering and other
internet threats for the
company's system.
Our professional
expertise in Social
Engineering and internet
attacks
$5,940.00 1week
(Not including
the training time)
0004 Install Antivirus software on all
workstations. Set the
configuration for automatic
updating and scanning, and
setup passwords to avoid
changes.
Our professional
expertise in workstation
protection
Kaspersky Total Security
for Business
(Calculation is per each
workstation)
$60.00
$85.54 (per
3 years
license)
2 hours per
workstation
0005 Verify the patches for the
operating system, software,
Our professional
expertise in system
$135 2 hours + per
workstation
32. Request for Proposals 32
and applications. Set to
automatically update.
updates and breaches
License for system, OS,
applications, and so forth
(Calculation is per each
workstation)
(We will find
out if some
licensing
needs
payment
renewals)
0006 Set up access control plan,
defining users privileges to
access system and database
information
Our professional
expertise in access
control
Create a layered access
control
$5,940.00 1 week
0007 Set up Active Directory and
Unit Organizational Group
Policies. Assign users to the
UO according to their functions
Our professional
expertise in setting up
Active Directory, OU and
its policies
Company's organization
structure and employees
charge of functions
$11,880.00 3 weeks
0008 Set up control to monitor the
users activities
Our professional
expertise to monitor the
network activities
Software to monitor the
user activities, such as
the workstation login, the
website requested, the
system activity and so
forth
$1,080.00 1 day
System/Application Domain
0001 Verify in the system, all the
operating systems, software,
applications, Antivirus, and
so forth that do not have
their patches up to date.
Properly install the newest
released patches and set up
for automatic checking and
advising the network
Administrator that there is a
new patch available.
Our professional expertise
in servers and databases'
system update and
breaches
License for system, OS,
applications, and so forth
$675.00
(per
machine)
5 hours +
0002 Set up a schedule for the Our professional expertise $5,940.00 1 week
33. Request for Proposals 33
backup system. Synchronize
the workstation backup and
server backup. Implement
full and incremental
backups. Also implement
local and online backups,
and store the tapes outside
the company local domain.
in backup systems and
monitoring login files
Backup magnetic tape
system
Plan to store the tape out
of the company local
domain
Online backup system
$1,692.00
$50.00
(Monthly for
backup tape
storage
$99.00
(Monthly)
0003 Implement a redundancy
system to guarantee speed
and availability to the
company system
Our professional expertise
in RAID 10 system
Require set of hard drives
for the DMZ area
Set of hard drives for the
main server
Cables, plugs, and other
tools and equipment
$4,320.00
$318.00
$318.00
$100.00
4 days
0004 Implement the principle of
least privilege to access the
company systems as part of
the access control plan
Our professional expertise
in security policies
Working
throughout this
plan
implementation
0005 Implement encryption to the
backup system and to the
clients database
Our professional expertise
in system encryption and
decryption
$4,320.00 4 days
0006 Implement password to
access the clients' personal
information data base, it is
part of the access control
plan
Our professional
expertise in secure
private database
Using techniques to
profile employees allowed
to access the clients'
personal information
database
Biometric finger print
reader
$2,160.00
$80.00
2 days
Usually, when we are hands on, we always find several minimal details that need
to be addressed.
34. Request for Proposals 34
Procedure to Conducta Security Assessment and Risk Identification
When developing the plan of action, we are able to join activities from both the
Workstation and System/Application Domains. It is important, because we can gain time
and productivity by joining activities together without losing quality, on the other hand,
gaining strength in our security plan. Following, we will present the steps, explanations,
and actions to develop the security program for the Workstation and System/Application
Domains:
Security Program: Plan of Action fo the Risk Mitigation Plan for the
Workstation and System/Application Domains
Procedure Step Explanation Action
Creation of Security
Policies
Security policies are a guidance for
all system users, in order to give
them direction to proceed under the
security rules.
Our professionals use the
company's organizational structure
and employee manual of functions
and procedure to determine the
company, UO, employees,
vendors, clients, and so forth,
profile.
Determine risk and attackers
profile.
Using our expertise to
analyze information,
behavior, documentation,
and so forth, to define the
profile that would be used
as a basis to create the
company security policies.
Our professionals have
several years of experience
and through the profile
analyzes, it is possible to
create the necessary
policies, such as: email
policies, devices and system
usage policies, password
policies, AD UOGP policies,
and so forth.
Personnel Training:
Knowledge in the
company's security
policies and on the
dangers of social
engineering and other
It is essential to train the
employees on the company's
policies and hazards of the social
engineering attacks. Policies are
only good if they are enforced.
We have professionals with
The crew training process
must be 100%. 25% of the
personnel will be trained per
week. and the training will
last 4 days for each group.
At the end, there will be
35. Request for Proposals 35
internet threats updated information about the new
dangers in the cloud world, that
have experience in training and
engage employees for the security
cause.
presented the responsibility
of action, where each
employee will be
responsible for their action
in the system. For this
reason, they must not share
their passwords.
Installation of Antivirus
in all workstations
It is necessary for the local and the
network protection, because each
wks is connected to the internet.
Thus, if it is infected, the Antivirus
can detect the problem and avoid
others wks on the network from
being infected, also.
Acquiring a business license, the
price is much smaller than for
regular clients.
Download the software on
flash drives and install on
several computers at the
same time. This operation
can be done outside of the
business hours.
Configure for automatic
updates, dally quick scans,
and weekend full scans.
Set up administrative
passwords. It cannot be
access by the common
users.
Verify patches If there are bugs in a system, that
cause security breaches. As soon
the responsible party for the system
are aware of it, they will fix it and
launch patches to fix the bugs. The
clients that do not install the
patches will be vulnerable because
of the security breaches. It is
important to have updates and
patches up to date.
Run some tools to verify if
the system, software,
applications, and so forth
are up to date.
Set up layered access
control plan
Every system must have an access
control to define the user privilege
level for each system, database,
application, and so forth. It helps to
protect the access to the
information, and classify the
company's information.
If the information is classified as
private, such as the client medical
information, we should handle this
information we more care. And
make the access to this information
more difficult.
Apply encryption to
database, backup stored
data, communication
through VPN
Install biometric readers to
the servers system and
database
Install biometric readers to
the datacenter locked room
Install password to the
server according to the
company and employees'
profile done at the beginning
36. Request for Proposals 36
The access to the database of the
clients' private information must be
through a personal password, that
is changed every 45 days.
Physical access to the database
depends on the password and the
registered fingerprint.
To access the company datacenter,
it necessary to have the biometric
credentials to access the locked
room.
of our project.
Set up Active Directory
and Organizational Unit
Group Policies
It is important to facilitate the
implementation of policies
throughout the network. Setting up
the policies on the OU and
assigning the users to the OU. It is
not necessary to assign policies to
one by one users.
Easier to monitor the users
activities
In this process, it is fundamental to
have a company HR to approve the
project before being implemented.
Install the Active Directory in
the Windows Server
Using the company and the
employees' profile, create
the OU and its policies. After
this, assign the users
according to their functions
in the company.
Set control to monitor
the network activity
It is important to monitor the
network activity to be able to detect
if there is some strange behavior
that can lead to an attack. We
utilize tools named as intrusion
detection system.
Install tools to monitor the
network, such as Wireshark.
Set up a schedule
backup system
Backup is fundamental for any
business. And mandatory for
businesses that need to deal with
compliance law. For this reason we
will deal with 2 types of backups:
physical and online.
Backup on magnetic tape is still the
most efficient method of backup.
The tape must be stored outside of
the company's local domain.
Use a creditable online backup
system
Schedule the dally
incremental backup, and the
weekend full backup.
Perform the first full backup,
take out the tape, check its
integrity and store in an
outside storage.
The tapes will be exchanged
every week.
Set up the online backup
with different times and
same method for the
physical backup.
37. Request for Proposals 37
Implement redundancy
system RAID 10 to the
main servers
The RAID 10 system is important in
case of the hard drive having a
problem, the hard drive redundant
set is able to automatically take
place and maintain the system
function normally. If all the hard
drives are working normally, so, the
system will be able to work
basically 2 times faster, because its
functions are divided by 2.
Install a set of 4 hard drives
on each server that need
speed and redundancy
according to the project.
We presented a summary of our action plan, many other details can be found
and deeply explored during the work execution.
38. Request for Proposals 38
Risk Assessment Project Plan Definition
In the Risk Assessment process, it was necessary to use a qualitative approach,
because we are not dealing with just quantity, we need expertise to evaluate the assets
according to its function within the organization, and these values are relative. The
value of the system, software, devices, and processes will vary according to their
participations in the main activities.
Basically, a Qualitative Risk Assessment depends on the report analyzes,
penetration tests, professional expertise and experience, and field observation to
determine the value that each IT asset plays in the company's entire system. Also, the
vulnerability tests help to identify the weak points of the system, the possible threats
and risks. Using all this information, it is possible to anticipate the possible impact that
an attack would cause in the system, and allow the response team to be prepared with
the right response: avoidance, mitigation, or even acceptance of the risk, if it is not
worth spending time and expertise on an attack that will not cause damage to the
system.
Following, we present our plan of Qualitative Risk Assessment:
Qualitative Risk Assessment Analyzes and Project Cost
Task
Number
Task Description Required Resources Cost Duration
0001 Create Company's
Security Policies:
equipment and system
usage, internet security
policies, password
policies, email policies,
and so forth.
Expertise to identify the IT
assets and their business
value to the organization
Expertise to identify
threats and vulnerabilities
to the IT assets
Expertise to identify the
probability that the risk will
$11,880.00 2 weeks (to
evaluate the
whole
company's IT
assets)
39. Request for Proposals 39
occur
Expertise to identify the
impact of a risk
Expertise to identify the
usefulness of a safeguard
or control
0002 Personnel Training:
Knowledge in the
company's security
policies and on the
dangers of social
engineering and other
internet threats.
Expertise to identify
threats and vulnerabilities
to the IT assets
Expertise to identify the
probability that the risk will
occur
Expertise to identify the
impact of a risk
Expertise to identify the
usefulness of a safeguard
or control
$3,240.00 3 days
0003 Install Antivirus software
on all workstations. Set
the configuration for
automatic updating and
scanning, and setup
passwords to avoid
changes.
Expertise to identify
threats and vulnerabilities
to the IT assets
Expertise to identify the
probability that the risk will
occur
Expertise to identify the
impact of a risk
Expertise to identify the
usefulness of a safeguard
or control
$3,240.00 3 days
0004 Verify the patches for
the operating system,
software, and
applications. Set to
automatically update.
Expertise to identify
threats and vulnerabilities
to the IT assets
Expertise to identify the
probability that the risk will
occur
Expertise to identify the
impact of a risk
Expertise to identify the
usefulness of a safeguard
or control
$3,240.00 3 days
40. Request for Proposals 40
0005 Set up access control
plan, defining users
privileges to access
system and database
information.
Expertise to identify
threats and vulnerabilities
to the IT assets
Expertise to identify the
probability that the risk will
occur
Expertise to identify the
impact of a risk
Expertise to identify the
usefulness of a safeguard
or control
$3,240.00 3 days
0006 Set up Active Directory
and Organizational Unit
Group Policies. Assign
users to the UO
according to their
functions.
Expertise to identify
threats and vulnerabilities
to the IT assets
Expertise to identify the
probability that the risk will
occur
Expertise to identify the
impact of a risk
Expertise to identify the
usefulness of a safeguard
or control
$3,240.00 3 days
0007 Set control to monitor
the network activity.
Expertise to identify
threats and vulnerabilities
to the IT assets
Expertise to identify the
probability that the risk will
occur
Expertise to identify the
impact of a risk
Expertise to identify the
usefulness of a safeguard
or control
$3,240.00 3 days
0008 Set up a scheduled
backup system.
Expertise to identify
threats and vulnerabilities
to the IT assets
Expertise to identify the
probability that the risk will
occur
Expertise to identify the
$3,240.00 3 days
41. Request for Proposals 41
impact of a risk
Expertise to identify the
usefulness of a safeguard
or control
0009 Implement redundancy
system RAID 10 to the
main servers.
Expertise to identify
threats and vulnerabilities
to the IT assets
Expertise to identify the
probability that the risk will
occur
Expertise to identify the
impact of a risk
Expertise to identify the
usefulness of a safeguard
or control
$3,240.00 3 days
TOTAL $37,800.00
42. Request for Proposals 42
Data Security Mitigation Actions Based on Qualitative Risk
Assessment
In this stage, we propose some countermeasures to mitigate or avoid identified
risks and vulnerabilities. When a new risk and/or vulnerability is identified, it needs to be
analyzed and risk mitigation or avoidance strategies need to be created and included in
the plan.
Following we provide recommendations to protect the system:
Proposed Mitigation Plan Based on the Qualitative Risk Assessment
Procedure Step Explanation Action
Create Company's
Security Policies:
equipment and system
usage, internet security
policies, password
policies, email policies,
and so forth.
Security policies are a guidance for all
system users, in order to give them
direction to proceed under the security
rules.
Our professionals use the company's
organizational structure and employee
manual of functions and procedures to
determine the company, OU,
employees, vendors, clients, and so
forth, profile.
Determine risk and attackers profile
Use the risk assessment
information to determine
the security policies
Use risks and
vulnerabilities information
according to the RA plan.
Using our expertise to
analyze information, RA
reports, behavior,
documentation, and so
forth, to define the profile
that would be used as a
basis to create the
company security policies
Personnel Training:
Knowledge in the
company's security
policies and on the
dangers of social
engineering and other
internet threats.
It is essential to train the employees on
the company's policies and hazards of
the social engineering attacks. Policies
are only good if they are enforced.
We have professionals with updated
information about the new dangers in
the cloud world, that have experience in
training and engage employees for the
security cause.
The RA presents a report that more than
70% of the employees are not aware of
Using the risk assessment
report, we can verify the
personnel that need to be
trained first, and need to
have follow up training,
such as recycling,
unscheduled tests, and so
forth.
43. Request for Proposals 43
the company's security policies. In
addition, more than 85% of the
employees do not understand the
hazards of Social Engineering to a
computer system.
Install Antivirus software
on all workstations. Set
the configuration for
automatic updating and
scanning, and setup
passwords to avoid
changes.
It is necessary for the local and the
network protection, because each wks is
connected to the internet. Thus, if it is
infected, the Antivirus can detect the
problem and avoid others wks on the
network from being infected, also.
Acquiring a business license, the price is
much smaller than for regular clients.
It is a preventive action, that in a general
way, is acceptable as a countermeasure
that is worth it to avoid the unknown
risks impact.
Download the software
on flash drives and
install on several
computers at the same
time. This operation can
be done outside of the
regular business hours.
Configure for automatic
updates, dally quick
scans, and weekend full
scans.
Set up administrative
passwords. It cannot be
accessed by the common
users.
Verify the patches for the
operating system,
software, and
applications. Set to
automatically update.
If there are bugs in a system, that cause
security breaches. As soon as the
responsible party for the system are
aware of it, they will fix it and launch
patches to fix the bugs. The clients that
do not install the patches will be
vulnerable because of the security
breaches. It is important to have
updates and patches up to date.
During the RA we are able to find and
report all the systems, applications,
software, and so forth that need
upgrades, updates, and patches
actualizations.
Using the RA report, we
can verify what
actualizations are
necessary and using the
weeks to actualize the
system. Having a backup
on hand if something goes
wrong.
After the process,
troubleshooting the
system again to verify if
there is more actualization
that needs to be done.
Set up access control
plan, defining users
privileges to access
system and database
information.
Every system must have an access
control to define the user privilege level
for each system, database, application,
and so forth. It helps protect the access
to the information, and classify the
company's information.
If the information is classified as private,
Using the RA report, we
are able to find what IT
assets are more valuable
for the company, such as
information, system,
employees functions, and
so forth. Based on this
44. Request for Proposals 44
such as the client's medical information,
we should handle this information with
more care. And make access to this
information more difficult.
The access to the database of the
clients' private information must be
through a personal password, that is
changed every 45 days.
Physical access to the database
depends on the password and the
registered fingerprint.
To access the company datacenter, it is
necessary to have the biometric
credentials to access the locked room.
information, we are able
to plan the access control
and set the access
privileges according to the
IT access importance and
the role that each user
plays on the company's
system.
More valuable is the
information, more difficult
is the access, and more
credentials the users need
to access them. This
action makes it more
difficult for access by
unauthorized users in a
case of an attack.
Set up Active Directory
and Organizational Unit
Group Policies. Assign
users to the UO according
to their functions.
If I have the RA reports, and I am able to
take action to mitigate risk, and improve
the security of my system, however, I am
not able to organize my crew, at some
point my efforts will be lost.
It is important to facilitate the
implementation of policies throughout
the network. Setting up the policies on
the OU and assigning the users to the
OU. It is not necessary to assign policies
to users one by one.
Easier to monitor the users activities.
In this process, it is fundamental to have
a company HR to approve the project
before being implemented.
Using the RA report to
help to define the
privileges for the users
on the OU Group
Policies.
Install the Active
Directory in the Windows
Server.
Using the company and
the employees' profile,
create the OU and its
policies. After this,
assign the users
according to their
functions in the
company.
Set control to monitor the
network activity.
By analyzing the RA report, we are able
to know what system is more important
and needs more attention during the
network monitoring process.
It is important to monitor the network
activity to be able to detect if there is
some strange behavior that can lead to
an attack. We utilize tools named
intrusion detection system.
Install tools to monitor the
network, such as
Wireshark.
45. Request for Proposals 45
Set up a scheduled
backup system.
Information is one of the most valuable
assets of a business. The business
cannot afford to lose it. It is one of the
reasons that Backup is so important
Backup is fundamental for any business.
And mandatory for businesses that need
to deal with compliance law. For this
reason we will deal with 2 types of
backups: physical and online.
Backup on magnetic tape is still the
most efficient method of backup. The
tape must be stored outside of the
company's local domain.
Use a creditable online backup system
Schedule the dally
incremental backup, and
the weekend full backup.
Perform the first full
backup, take out the
tape, check its integrity
and store in an outside
storage.
The tapes will be
exchanged every week.
Set up the online backup
with different times and
same method for the
physical backup.
Implement redundancy
system RAID 10 to the
main servers.
By using the RA report we can identify
what systems, that for the sake of the
business need to on 24/7, and cannot
afford a break down.
The RAID 10 system is important in
case of the hard drive having a problem,
the hard drive redundancy is set to
automatically take place and maintain
the system function normally. If all the
hard drives are working normally, the
system will be able to work basically
twice as fast, because its functions are
divided by 2.
Install a set of 4 hard
drives on each server that
need speed and
redundancy according to
the project.
46. Request for Proposals 46
Risk Prioritization and Mitigation Project Plan Definition
In this stage of the project, our goal is to prioritize the tasks in order to first
eliminate the vulnerabilities that may produce a high level of impact if an attack
occurred. According to the RA report, at this moment, the system users represent a high
level vulnerability to the system. It happens because of their lack of knowledge of
system security, a lack of system access control, password policies, data privacy
classifications, and so on. According to our analyzes of the RA reports, we organized
our mitigation plan project to be executed according to priority, being top on the list for
high priority, and low on the list for low priority. Following, we present our Mitigation
Project Plan, high to low priority:
Risk Mitigation by Risk Priority and Project Cost
Task
Number
Task Description Required Resources Cost Duration
0001 Create Company's
Security Policies:
equipment and system
usage, internet security
policies, password
policies, email policies,
and so forth.
Our professional expertise
in creating policies
$5,940.00 1 week
0002 Personnel Training:
Knowledge in the
company's security
policies and on the
dangers of social
engineering and other
internet threats.
Our professional expertise
in Social Engineering and
internet attacks
$5,940.00 1week (to
prepare training)
4 weeks (to train
all personnel -
25% of the crew
per group)
0003 Set up Active Directory
and Organizational Unit
Group Policies. Assign
Our professional expertise
in setting up Active
Directory, OU and its
$11,880.00 3 weeks
47. Request for Proposals 47
users to the UO
according to their
functions.
policies
Company's organization
structure and employees
charge of functions
0004 Set up access control
plan, defining users
privileges to access
system and database
information.
Our professional expertise
in access control
Create a layered access
control: Password,
encryptions, biometric
reader system, and so
forth .
$5,940.00 1 week
0005 Verify patches for the
operating system,
software, and
applications. Set to
automatically update.
Our professional expertise
in servers and databases'
system update and
breaches
License for system, OS,
applications, and so forth
$135.00
(per
machine)
2 hours + per
machine
0006 Install Antivirus software
on all workstations. Set
the configuration for
automatic updating and
scanning, and setup
passwords to avoid
changes.
Our professional expertise
in workstation protection
Kaspersky Total Security
for Business
(Calculation is per each
workstation)
$60.00
$85.54 (per
3 years
license)
2 hours per
machine
0007 Set up a scheduled
backup system.
Our professional expertise
in backup systems and
monitoring login files
Backup magnetic tape
system
Plan to store the tape out
of the company local
domain
Online backup system
$5,940.00
$1,692.00
$50.00
(Monthly for
backup tape
storage
$99.00
(Monthly)
1 week
0008 Implement redundancy
system RAID 10 to the
main servers.
Our professional expertise
in RAID 10 system
Require set of hard drives
for the DMZ area
Set of hard drives for the
$4,320.00
$318.00
$318.00
4 days
48. Request for Proposals 48
main server
Cables, plugs, and other
tools and equipment
$100.00
0009 Set control to monitor
the network activity.
Our professional expertise
to monitor the network
activities
Software to monitor the
user activities, such as the
workstation login, the
website requested, the
system activity and so
forth
$1,080.00 1 day
49. Request for Proposals 49
Risk Mitigation Actions Based on Qualitative Risk Assessment's Risk
Prioritization
In this report, is presented the information that we presented before increased
with the presentation of the risk mitigation documentation plan. We recognize the
importance of the documentation in security processes. For this reason, after obtaining
the final result, we document, summarize, and standardize procedures for our work or
anyone else that is performing work on this network in the future.
Explanation Why the Countermeasure is a Priority, How to Achieve Best
Results, and How to Document Actions and Results
Procedure Step Explanation Action
Create Company's Security
Policies: equipment and
system usage, internet
security policies, password
policies, email policies,
and so forth.
Security policies are a guidance for
all system users, in order to give
them direction to proceed under the
security rules.
Our professionals use the
company's organizational structure
and employee manual of functions
and procedures to determine the
company, OU, employees, vendors,
clients, and so forth, profile.
Determine risk and attackers profile
to identify the origin of the attacks.
The importance to document the
actions taken, it is to be used as
reference in the future, for instance,
for other employees, in other similar
situations, and so forth.
Use the risk assessment
information to determine the
security policies
Use risks and vulnerabilities
information according to the RA
plan.
Using our expertise to analyze
information, RA reports,
behavior, documentation, and
so forth, to define the profile
that would be used as a basis
to create the company security
policies
Use the PDCAmethod to
evaluate the mitigation results,
report the results, and improve
mitigation methods.
Perform a summary of the risk
mitigation process and set
mitigation process standards.
Personnel Training:
Knowledge in the
company's security policies
It is essential to train the employees
on the company's policies and
Using the risk assessment
report, we can verify the
50. Request for Proposals 50
and on the dangers of
social engineering and
other internet threats.
hazards of the social engineering
attacks. Policies are only good if
they are enforced.
We have professionals with
updated information about the new
dangers in the cloud world, that
have experience in training and
engage employees for the security
cause.
The RA presents a report that more
than 70% of the employees are not
aware of the company's security
policies. In addition, more than 85%
of the employees do not understand
the hazards of Social Engineering
to a computer system.
It is important to evaluate the crew's
understanding and satisfaction in
participating in the training.
Because, we can evaluate points
that need to be improved, and points
that are efficient. With this
information we can adjust the
training for this company, for future
trainings.
personnel that need to be
trained first, and need to have
follow up training, such as
recycling, unscheduled tests,
and so forth.
Test the employees knowledge
at the end of the training and
report the result. Produce a
statistical report.
Compare the Individual results
with the network monitoring
activity, when it presents a risk
result.
Set up Active Directory and
Organizational Unit Group
Policies. Assign users to
the UO according to their
functions.
If I have the RA reports, and I am
able to take action to mitigate risk,
and improve the security of my
system, however, I am not able to
organize my crew, at some point my
efforts will be lost.
It is important to facilitate the
implementation of policies
throughout the network. Setting up
the policies on the OU and
assigning the users to the OU. It is
not necessary to assign policies to
users one by one.
Easier to monitor the users
activities.
In this process, it is fundamental to
have a company HR to approve the
project before being implemented
Using the RA report to help to
define the privileges for the
users on the OU Group
Policies.
Install the Active Directory in
the Windows Server.
Using the company and the
employees' profile, create the
OU and its policies. After this,
assign the users according to
their functions in the company.
After the AD and OUGP are
working properly, we must build
the document of the Active
Directory system.
Summarize how the AD and
OUGP support the risk
mitigation project, for instance,
51. Request for Proposals 51
The map of organizational structure
of the company, policies and
privileges assigned to each
Organizational Unit must be
documented with detail. In
additional, it must be easy for any
network administrator to understand
the system, if he or she is an
authorized user.
implement the principal of least
privilege through the group
policies.
Set up access control plan,
defining users privileges to
access system and
database information.
Every system must have an access
control to define the user privilege
level for each system, database,
application, and so forth. It helps
protect the access to the
information, and classify the
company's information.
If the information is classified as
private, such as the client's medical
information, we should handle this
information with more care. And
make access to this information
more difficult.
The access to the database of the
clients' private information must be
through a personal password, that
is changed every 45 days.
Physical access to the database
depends on the password and the
registered fingerprint.
To access the company datacenter,
it is necessary to have the biometric
credentials to access the locked
room.
The information must be stored in
an encrypted mode.
Also, it is important to guarantee
the availability of the information.
Thus, we must document the
access control plan, if some access
keys get lost, it can be recovered
research in the documentation.
Using the RA report, we are
able to find what IT assets are
more valuable for the company,
such as information, system,
employees functions, and so
forth. Based on this information,
we are able to plan the access
control and set the access
privileges according to the IT
access importance and the role
that each user plays on the
company's system.
More valuable is the
information, more difficult is the
access, and more credentials
the users need to access them.
This action makes it more
difficult for access by
unauthorized users in a case of
an attack.
Prepare the access control
documentation, with details of
the layered control, access
keys, access privileges, and so
forth.
Summarize report to support
the risk mitigation plan, such as
security in depth for the clients'
private database, encrypted
data base, password policy
enforcement, and so forth.
Verify patches for the If there are bugs in a system, that Using the RA report, we can
52. Request for Proposals 52
operating system,
software, and applications.
Set to automatically
update.
cause security breaches. As soon
as the responsible party for the
system are aware of it, they will fix it
and launch patches to fix the bugs.
The clients that do not install the
patches will be vulnerable because
of the security breaches. It is
important to have updates and
patches up to date.
During the RA we are able to find
and report all the systems,
applications, software, and so forth
that need upgrades, updates, and
patches actualizations.
Create a documentation of the
system updates, upgrades, and
patch actualizations. If any
actualization is not performed, it
needs to be registered of what
actualization had not been done,
when, why, under what
authorization.
verify what actualizations are
necessary and using the weeks
to actualize the system. Having
a backup on hand if something
goes wrong.
After the process,
troubleshooting the system
again to verify if there is more
actualization that needs to be
done
Create and update the system
update documentation.
Summarized risk mitigation
report, such as how to uninstall
patches can cause security
breaches to system.
Install Antivirus software on
all workstations. Set the
configuration for automatic
updating and scanning,
and setup passwords to
avoid changes.
It is necessary for the local and the
network protection, because each
wks is connected to the internet.
Thus, if it is infected, the Antivirus
can detect the problem and avoid
others wks on the network from
being infected, also.
Acquiring a business license, the
price is much smaller than for
regular clients.
It is a preventive action, that in a
general way, is acceptable as a
countermeasure that is worth it to
avoid the unknown risks impact.
One of the important points of
documenting the antivirus, license,
company, expiration, and so forth, is
so the network administrator does
not lose track of the antivirus
expiration, and has the name of the
vendor representative, and so forth.
Download the software on
flash drives and install on
several computers at the same
time. This operation can be
done outside of the regular
business hours.
Configure for automatic
updates, dally quick scans,
and weekend full scans.
Set up administrative
passwords. It cannot be
accessed by the common
users.
Prepare the documentation for
the antivirus install on the
company's machines.
Summarize the risk mitigation
process with the antivirus
installation: such as, email
malware, daily scans of the
computer, internet security and
53. Request for Proposals 53
so forth.
Set up a scheduled backup
system.
Information is one of the most
valuable assets of a business. The
business cannot afford to lose it. It
is one of the reasons that Backup is
so important
Backup is fundamental for any
business. And mandatory for
businesses that need to deal with
compliance law. For this reason we
will deal with 2 types of backups:
physical and online.
Backup on magnetic tape is still the
most efficient method of backup.
The tape must be stored outside of
the company's local domain.
Use a creditable online backup
system
Everyone can have access to the
backup system through the backup
documentation, such as, schedule,
time of backup, files and folder to
be backed up, backup log file, and
so forth.
Schedule the dally incremental
backup, and the weekend full
backup.
Perform the first full backup,
take out the tape, check its
integrity and store in an
outside storage.
The tapes will be exchanged
every week.
Set up the online backup with
different times and same
method for the physical
backup.
Create and actualize the
backup documentation,
including the backup log file.
Create a summary pointing to
risk mitigation, such as data
lost, reduction on business
interruption, recovery in natural
disasters cases, and so on.
Implement redundancy
system RAID 10 to the
main servers.
By using the RA report we can
identify what systems, that for the
sake of the business need to on
24/7, and cannot afford a break
down.
The RAID 10 system is important in
case of the hard drive having a
problem, the hard drive redundancy
is set to automatically take place
and maintain the system function
normally. If all the hard drives are
working normally, the system will be
able to work basically twice as fast,
because its functions are divided by
2.
By creating the RAID documentation
it is possible to identify the use of it
on the network. Also, it helps as a
Install a set of 4 hard drives on
each server that need speed
and redundancy according to
the project.
Creating documentation
describing how, where, and the
use of the RAID system.
Summarize a report explaining
why the RAID system is
important for risk mitigation,
such as, in the case of the
failure of the main system, the
RAID provides redundancy to
the system, and maintain the
system on, do not interrupt the
system. It provides one of the
three principles of security:
availability.
54. Request for Proposals 54
reference for late events that the
network may need other RAID
solutions.
Set control to monitor the
network activity.
By analyzing the RA report, we are
able to know what system is more
important and needs more attention
during the network monitoring
process.
It is important to monitor the
network activity to be able to detect
if there is some strange behavior
that can lead to an attack. We
utilize tools named intrusion
detection system.
By documenting the rules of control
and parameters set, it is possible to
understand the goal of the
monitoring.
Install tools to monitor the
network, such as Wireshark.
Create the monitoring
documentation and actualize it
with login reports.
Brief report of the importance of
this action in the risk mitigation
plan, such as detecting strange
behavior on the network, before
it configures an attack.
55. Request for Proposals 55
BCP Outline and Table of Contents as per BIA
At this stage of the process, we will identify the major critical business functions
and the impact they will suffer if they experience a successful attack. Our objective in
this plan is to maintain the main company's activity, then, they will be able to achieve as
much maximum availability as possible.
Following, we present a table with the details about some of the company's
systems and applications, and our analyzes of the importance of them to the business,
the Business Impact Analyzes, and our actions for a Business Continuity Plan:
BIA for the Main Business Functions and Presentation of a Summary of
BCP for this Company
Item Details Resources
DNS servers, WAN, and LAN:
Domain Name Service (DNS) primary/secondary
Purpose statement DNS resolves domain name or
host name in IP address, in order
to facilitate the communication
between hosts in a network.
Professional analyzes for the
DNS services on the entire
network.
Plan for DNS server
redistribution and
prioritization.
Scope DNS servers are used for all
network users.
Network administrators must
resize the network according
to the new plan.
Assumptions Based on the fact that the
company needs the network
communicating properly 24/7, we
assume that DNS servers must
be up uninterrupted.
The network reports, risk
assessment report,
monitoring report and so forth.
By analyzing all these reports,
we can design the network
business profile.
Critical business functions This function is directly related to Some resources do not seem
56. Request for Proposals 56
the critical business functions. as critical to the business
functions, however, they are
incidental. And they need to
be taken care of as much as
the other major functions.
Risk to operation This function is directly related to
the critical business functions.
Some resources do not seem
as critical to the business
functions, however, they are
incidental. And they need to
be taken care of as much as
the other major functions.
Strategies to address risks Implement DMZ.
Implement different DNS servers
for different critical functions.
Implement RAID system on
critical servers.
Professional expertise in
RAID.
The plan identifying the main
strategic points that need a
RAID system.
The necessary devices,
tools, and other equipment.
Mail Server, WAN, and LAN:
Email
Purpose statement Emails have the purpose to maintain
electronic communication among
employees, employees and clients,
employees and vendors, and so
forth.
Professional analyzes for
the Email service for the
business.
Plan for Email server.
Email usage policy.
Scope The company email has the scope of
the company domain.
Network administrators
must set the email
permissions according to
the email policies, such as
disabling email's hyperlink.
Assumptions The electronic communication is
fundamental for this company, and
around 80% of its communication is
through electronic communication.
Thus, it is recommended, for the
sake of the business that the
electronic communication does not
Using the email policies to
disable dangers to the email
service, we can avoid attacks
to the email server, avoiding
interruption in the service.
57. Request for Proposals 57
stay down for more than 4
consecutive hours.
Critical business
functions
It is an important function, however,
the business could stay a few hours
without this function.
This service is not critical for
the business functions,
however, it is important for
the business communication
and for the business image.
Risk to operation It is an important function, however,
the business could stay a few hours
without this function.
This service is not critical for
the business functions,
however, it is important for
the business communication
and for the business image.
Strategies to address
risks
Have an exclusive email server.
Have another server in the system
prepared with the application to take
place, in case that the server breaks
down.
Ensure that the maintenance,
patches and updates are regularly
updated.
Professional with expertise
in email server.
A plan identifying the
policies and strategies for
the email services.
The necessary devices,
tools, and other equipment.
Application Servers, database servers, and LAN:
Payroll Management
Jurisdiction Management System
Tax Office Application
Judicial Records Database
Department of Motor Vehicle Applications
Public Safety Management System
Business Records Management
Corrections Management
Purpose statement These systems have the objective to
manage administrative functions of
the company, such as calculating
the employees' wages, managing
the public relationship, recording the
business results, and so forth.
Professional analyzes of the
systems and applications.
Schedule for the company's
reports, and activities, such
as: P&L reports, Legal
reports, DMV functions,
Payroll activities, and so
58. Request for Proposals 58
forth.
The action will be according
to the day. For instance: If it
is the last day of calculating
the payroll, the solution is
using a recover server as a
business recovery plan.
Scope Those applications are used by the
company employees responsible in
their department duties. Such as
DMV, Accounting, Public Safety, and
so on.
Analyzes of the recovery
plan.
Network administrators
have to analyze the
recovery plan for each
system and application.
Then decide if they have
time to fix the application, or
if it is better to install the
Recover Server. For
example, If the crash occurs
on payroll day, then, it is
recommended to use the
recover server. If there is
enough time for
maintenance, then, the
Accountant Department can
wait for the system to be
fixed.
Assumptions The analyzes of criticality of the
situation will depend on the system
and on the day. Taking the example
of the payroll, the actions will be
taken according to the proximity to
the payroll calculation.
By using the recovery plan,
the professional must make
a quick decision and
direction on what to do in
each case: Using the recover
server or take the system for
maintenance.
Critical business
functions
As mentioned above, the risk to the
business operation will depend, in
the majority of the cases, on the day.
The day to file a report, days with
high rate of business, day of
employees payment and so forth.
The analyzes must be done, very
fast, and precise by the IT security
Analyze the BCP/BIA and
the context of the event to
decide what is the best
solution to take at the
moment.
59. Request for Proposals 59
professional based on the BCP and
BIA.
Risk to operation As mentioned above, the risk to the
business operation will depend, in
the majority of the cases, on the day.
The day to file a report, days with
high rate of business, day of
employees payment and so forth.
The analyzes must be done, very
fast, and precise by the IT security
professional bases on the BCP and
BIA.
Analyze the BCP/BIA and
the context of the event to
decide what is the best
solution to take at the
moment.
Strategies to address
risks
Have another server in the system
prepared with the application to take
place, in the case that the server
breaks down.
Have the RAID 10 system installed
on the servers that carry critical
systems.
Ensure that the maintenance,
patches and updates are regularly
updated.
Professional with expertise
in system and applications.
Recovery plan for system
and applications.
Recovery Server configured
to be placed on the network
in a case that recovery
action is necessary.
Incident Response Team
Plan.
Web Servers, WAN, LAN, and Applications Servers:
Client -Facing Service Application
Emergency Notification Service
Public Records Database
Emergency Services Intercommunication
Electronic Payment System
Benefits Disbursement Management
Purpose statement Those are applications used to
interact with the clients, employees,
ultimately, the users at the other end
of the internet, using network
devices, such as a smart phone,
tablets, computers, and so on.
Professional analyzes for
functionality of these
applications.
Map these applications to
the company information
system, verify their status
on the Access Control Plan
and the Application
60. Request for Proposals 60
Hierarchy Plan.
Scope Those applications are used for the
internet system to virtually interact
with the internet clients. The main
users are the internet administrators
and operators.
Network administrators
must configure each
application according to the
application hierarchy of
importance, in order to
follow the BCP plan.
Assumptions Those applications are channels of
communication between clients and
company. In this case, we have to
perform a screening and classify
each application, which cannot be
interrupted, which can be down for 2
hours, 4 hours, and so forth.
If the site is down, load a
message informing how long
before the site is back. If the
client case is an emergency,
he/she can call the office.
Provide a phone number for
emergency calls.
Through fast analyzes, the
professional will be able to
decide if it is necessary to
install the Recovery Web
Server, or they have enough
time to fix the problem.
Critical business
functions
Clients are not willing to wait very
long, and expect the service to
return by the time that it is
advertising on the site.
We cannot forget that availability
with security is also part of the
information security.
Some of these services are
not critical for the business
functions, however, it is
important for the business
communication and for the
business image.
The services that are critical,
we suggest always to place
them on application servers
with a RAID 10 system.
.
Risk to operation Clients are not willing to wait very
long, and expect the service to
return by the time that it is
advertising on the site.
We cannot forget that availability
with security is also part of the
information security.
Some of these services are
not critical for the business
functions, however, it is
important for the business
communication and for the
business image.
The services that are critical,
we suggest always to place
them on application servers
61. Request for Proposals 61
with a RAID 10 system.
Strategies to address
risks
Have another server in the system
prepared with the application to take
place, in the case that the server
breaks down.
Have the RAID 10 system installed
on the servers that carry critical
systems.
Ensure that the maintenance,
patches and updates are regularly
updated.
Professional with expertise
in systems and applications.
Recovery plan for system
and application.
Recovery Server configured
to be placed on the network
in the case a recovery
action is necessary.
Incident Response Team
Plan.
Application Servers, Database Servers, LAN, and WAN:
Emergency Management Application
Purpose statement This application is for managing the
input by clients for emergency cases
on the company's web system.
Professional analyzes of the
web application, and
analyzes of the system of
emergency applications.
Analyze the classification of
emergencies, and how they
should be attendant to.
Scope The department that deals with the
clients' emergency case posted on
the internet.
Network administrators
must set the application to
classify the emergency
according to the company's
standards of emergency.
Retrieve clients' information
according to clients' number
registration, and bring
complete information for the
authorized employee.
Assumptions This service is essential for the
clients, because they expect to have
their emergency treated with priority.
In this way, the more the system can
work in the background for the
operator, the more work one
operator can perform in less time.
Through the authentication,
the application and database
server can be
communicating to each other
and preparing all the
information necessary for the
clients application for an
emergency service. When an
62. Request for Proposals 62
operator logins to the system
and input the client's ID the
information is already loaded
on the screen.
Critical business
functions
This is a critical business function,
this company cannot afford to have
this function out of service. For this
reason, we suggest having a RAID
10 on this server, that will provide
fast speed and redundancy for the
system. In case of failure, the
system will lose speed, however, will
not lose connectivity.
This server must be set up to
be online 24/7. Thus,
according to the risk
mitigation plan this is a
server that would receive a
RAID 10 system.
Risk to operation This is a critical business function,
this company cannot afford to have
this function out of service. For this
reason, we suggest having a RAID
10 on this server, that will provide
fast speed and redundancy to the
system. In case of failure, the
system will lose speed, however, will
not lose connectivity.
This server must be set up to
be online 24/7. Thus,
according to the risk
mitigation plan this is a
server that would receive a
RAID 10 system.
Strategies to address
risks
Having the application servers
distribute through the servers
according to risk mitigation plan,
obeying the importance hierarchy.
Having the RAID 10 system
configured.
Research the problems and
document the results found.
Ensure that the maintenance,
patches and updates are regularly
updated.
Professional with expertise
application and RAID
systems.
The plan identifying the
policies and strategies for
clients' emergency service.
The necessary devices,
tools, and other equipment.
Authentication Servers, Database Servers, and LAN:
Remote Access Authentication
Purpose statement Provide authentication to remote
users of the company's local system.
Professional expertise in
remote access
authentication.