need IT Security help - DFWstangs Forums
 
LinkBack Thread Tools Display Modes
post #1 of 15 (permalink) Old 05-20-2008, 11:28 PM Thread Starter
 
Join Date: May 2008
Posts: 70
need IT Security help

ok. final project. assoc level IT security class. i have been tasked to put together an acceptable use policy that complies with HIPA and the Sarbanes-Oxley Act.

i have something here that im gonna attach. any professional opinions/tips would be appreciated.

Scenario.

You are the new security manager for company XYZ and have been assigned the task of ensuring security for the company. There are multiple locations for this company. Create a security policy that will apply to all Internet communications. The company deals with secure data for hospitals and financial organizations. These offices must have 24/7 communication with HQ. The communications are of a sensitive nature. Using what you have learned in this class, create a all-encompassing security document that covers document handling, secure protocols, communication links and the handling of laptop and desktop computers.

~~

the reason im asking for input is because a classmate told me that if i ace this project with a perfect 100 (base grade is 90. above and beyond is a 95. "supergeek" is a 100...) he would try and hook me up with a job at Lockheed Martin.
Attached Files
File Type: doc project_policy_1.doc (54.5 KB, 65 views)

Last edited by dsexton1055; 05-21-2008 at 10:38 PM.
dsexton1055 is offline  
Sponsored Links
Advertisement
 
post #2 of 15 (permalink) Old 05-21-2008, 12:15 AM
IA2
 
mikeb's Avatar
 
Join Date: Mar 2001
Posts: 22,413
Recommedation: Hire an outside company with this kind of experience. Trying to "grow" it in house is futile.
mikeb is offline  
post #3 of 15 (permalink) Old 05-21-2008, 12:17 AM Thread Starter
 
Join Date: May 2008
Posts: 70
Quote:
Originally Posted by mikeb
Recommedation: Hire an outside company with this kind of experience. Trying to "grow" it in house is futile.
school project. dunno the legalities of hiring someone but its still not something i would do. paying for school work would hurt my ego too much
dsexton1055 is offline  
 
post #4 of 15 (permalink) Old 05-21-2008, 12:21 AM
GE
Lifer
 
GE's Avatar
 
Join Date: Sep 2000
Location: Richardson, TX
Posts: 32,085
As a caveat, I don't do IT. But...

The assignment tasks you to construct an enterprise wide policy that is compliant within the realm of not only HIPAA, but the Sarbanes-Oxley Act as well.

Neither one of these terms are mentioned in your acceptable use policy. I'd recommend doing a brief research of HIPAA, and possibly the Sarbanes-Oxley Act to get at least a base line idea of what they're designed to do. I'm not saying that you don't know what they're supposed to do, but it could help you implement some sort of guidelines for acceptable use, that ties into these two components.

HIPAA compliance is a very serious item in the healthcare industry, and I think it would be prudent to advise new users to XYZ what HIPAA is, or at least something set forth that states any and all sensitive customer information has to be safeguarded, etc etc.

I'm also not sure how many acceptable use policies expressly allow for newsgroup posting and for blogging of any kind. If you still have a little bit of time before the due date, it might be prudent to check around and see what other major companies have in regards to this.

Ok, I think I'm done. Probably wasn't much help, but hell, it's past 1am.
GE is offline  
post #5 of 15 (permalink) Old 05-21-2008, 12:30 AM
IA2
 
mikeb's Avatar
 
Join Date: Mar 2001
Posts: 22,413
Quote:
Originally Posted by dsexton1055
school project. dunno the legalities of hiring someone but its still not something i would do. paying for school work would hurt my ego too much
Like GE said, there are *so* many moving parts to a cohesive, legal IT security strategy.
mikeb is offline  
post #6 of 15 (permalink) Old 05-21-2008, 06:44 AM
Googlist-Wikipedian
 
Hunt4m3x's Avatar
 
Join Date: Jul 2002
Location: de_aztec
Posts: 4,814
Just put. Hire outside firm.

2005 Infiniti G35 Sedan Ivory Pearl Premium

2006 Infiniti FX45 Liquid Platinum

2010 Polaris Ranger RZR S Orange Madness







Ban count: 2
Hunt4m3x is offline  
post #7 of 15 (permalink) Old 05-21-2008, 07:07 AM
Time Served
 
Join Date: Jun 2003
Location: Frisco
Posts: 429
Sure, I would love to help you out. When my job was IT Security focused, Perot Systems billed me out for almost $200 an hour. I will be happy to do this for you for $100 an hour.

And, remember that a Policy is a higher level document than a procedure or process document. Also, HIPAA and SOX are very broad laws themselves, so writing a policy document on these shouldn't be that hard.

Half the world is composed of people who have something to say and can't and the other half who have nothing to say and keep on saying it. In other words - JUST SHUT UP!

2005 Silver Mustang GT
theludeone is offline  
post #8 of 15 (permalink) Old 05-21-2008, 10:01 AM Thread Starter
 
Join Date: May 2008
Posts: 70
awesome. thanks guys. i appreciate it.
dsexton1055 is offline  
post #9 of 15 (permalink) Old 05-21-2008, 01:28 PM
 
Join Date: Aug 2005
Posts: 7,173
Pretty easy based on the broad requirements. Remember when it comes to security you don't limit what they can't do, you limit what they CAN do and everthing else is inheritly prohibited. Below are some headings and brief explanations of the headings that will need to be defined in legal-ese.

Password Requirments
Complexity and expiration
Password Security
Don't share yo shit
Workstation Security
Lock you shit
Appropriate use of Internet
No pron up in this bitch, if it ain't directly for work, don't go there
Appropriate use of company email
I don't care if you are the king of forwards, stop it. Don't email patient records, etc.
usmcluke is offline  
post #10 of 15 (permalink) Old 05-21-2008, 08:27 PM
duh...duh....duh
 
ceyko's Avatar
 
Join Date: Aug 2004
Location: ES BEER
Posts: 9,543
[email protected] writing an AUP making you supergeek. OMG, that kills me. Have not laughed that hard in awhile.

On top of USMCLUKE's info - research existing AUPs and find the magic line that says...we make the rules up as we go, we'll fire you over anything IT and fuck your privacy. Also, information stating that it is company property, not personal.

Of course, some of that gets beyond the usage policy.

...super geek for documentation. OMG, that's great.

Take care,

My '03 Sold.
ceyko is offline  
post #11 of 15 (permalink) Old 05-21-2008, 10:40 PM Thread Starter
 
Join Date: May 2008
Posts: 70
while my instructor (security major getting his 2nd masters from the DoD) would agree with your post usmcluke and ceyko i dont think thats what he is looking for lol.

but i will be sure to mention what you said in the presentation

dsexton1055 is offline  
post #12 of 15 (permalink) Old 05-22-2008, 06:44 AM
duh...duh....duh
 
ceyko's Avatar
 
Join Date: Aug 2004
Location: ES BEER
Posts: 9,543
ah dsexton1055, you'll have a lot to learn - ESPECIALLY working for DoD.

My '03 Sold.
ceyko is offline  
post #13 of 15 (permalink) Old 05-22-2008, 07:43 AM
Googlist-Wikipedian
 
Hunt4m3x's Avatar
 
Join Date: Jul 2002
Location: de_aztec
Posts: 4,814
Quote:
Originally Posted by ceyko
ah dsexton1055, you'll have a lot to learn - ESPECIALLY working for DoD.

The DoD subcontractors out, then that subcontractor subcontracts again, then that subcontractor, subs one more time!

To the Cisco Routers...

"or, try to follow the details of the case of the US Navy contracting with Lockheed Martin for equipment. Lockheed outsourced the deal to an unauthorized Cisco reseller as a subcontractor. That subcontractor turned to its own subcontractor who (yup, you guessed it) hired another subcontractor who shipped the equipment straight to the Navy. If you lost count, that's five layers deep, with most of those layers having no real oversight on what they did."

2005 Infiniti G35 Sedan Ivory Pearl Premium

2006 Infiniti FX45 Liquid Platinum

2010 Polaris Ranger RZR S Orange Madness







Ban count: 2
Hunt4m3x is offline  
post #14 of 15 (permalink) Old 05-22-2008, 07:56 AM Thread Starter
 
Join Date: May 2008
Posts: 70
all in the effort of saving money too...

capitalism ladies. save money spent and make as much as you can >.>
dsexton1055 is offline  
post #15 of 15 (permalink) Old 05-22-2008, 11:46 PM
El Camino
 
Stang2be's Avatar
 
Join Date: Sep 2003
Location: in front of the keyboard
Posts: 3,432
just a brief bit from my experience...

all the regulations are at the heart similar and have the same intent. I prefer to pick a more broader framework or standard like ISO 27002, NIST, or something along those lines at least for the high level stuff like an information security policy.

now when I write more specific documents I include in the policy what sections it maps to for ISO, PCI, SOX, etc.

AUP's tend to end up with lots of legal verbage. I just make sure those state that all activities are logged and expect no privacy.

then again this goes out the window if you are international and have employees in the EU

Also if you need names from Lockheed I might be able to track some down for you.

2007 Taurus SEL - daily driver
1974 El Camino SS - 400sb

Quote:
Originally Posted by purrrfectstang
Umm.. what is the ID-10T settings?
Stang2be is offline  
Sponsored Links
Advertisement
 
Reply

Bookmarks

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the DFWstangs Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome