30 May 2011

Information Security Modification Recommendations

Service Level Agreement Between Finman Account Management, LLC, Datanal Inc., and Minertek, Inc.
Upon review of the current Service Level Agreement (SLA) A Service Level Agreement for Provision of Specified IT Services Between Finman Account Management, LLC, Datanal, Inc., and Minertek, Inc. it has been determined that standard Information Technology (IT) security measures have not been address. Recommended changes have been added to the specific sections listed below and are highlighted in yellow. These changes are made to better protect Finmans data, and intellectual property. Using established industrial standards such as Information Technology Infrastructure Library (ITIL), Best Management Practices (BMP) and International Organization of Standards (ISO) recommendations for proper handling, storage, and protection of IT resources.

A. Recommend changes (i.e., modifications, insertions, or deletions) to the attached Service Level Agreement to better protect Finmans data and intellectual property. Section 3 Background and Rationale Modifications:
Finman views this SLA as a groundbreaking venture to harness the diverse array of IT-borne customer demands and opportunities that cannot be met by adhering to traditional paradigms. Finmans objectives in the SLA are to compete more effectively in a highly competitive industry by offering its customers a unified IT management plan across an entire organization or even, if the customer wishes, across separate departments and divisions. Datanal, utilizing sophisticated data-mining software developed by Minertek, will recognize and integrate common IT characteristics from disparate operations, programs, procedures, and products even those located in separate and unrelated service areas. This enables the customer to reduce or eliminate duplicate, parallel systems and to achieve economies of scale and open new opportunities. The consolidation of assets will require a review of existing hardware systems, applications, and network authentication processes. Datanal will establishment an Access Control List (ACL) system and create Group Policies (GP) to provide authentication and authorization to resources for users of network resources. Establishment of a Third Party Verification (TPV) process for users will provide confidentiality and integrity to meet current industry standards. Data storage integrity shall been reviewed and the establishment of a backup solution that will be compliant with industry standards. Datanal will insure Information Security (IS) will be improved to be compliant with International Trade Agreements, Federal patient laws, copyright laws and fair trade agreements.

By Thomas A. Groshong Sr RLHT_Task3_2011-05-30.docx

30 May 2011

Information Security Modification Recommendations

Service Level Agreement Between Finman Account Management, LLC, Datanal Inc., and Minertek, Inc. Section 4 Statement of Intent Modifications:
As recognized by leading research and consulting firms with knowledgeable, skilled management, advanced state-of-the-art IT affords extraordinary opportunities for greater efficiencies, cost reduction, higher productivity, customer satisfaction, and profitability. Sophisticated IT applications realize their full potential with highly specialized technical knowledge and management skills readily available only in smaller firms focused primarily or exclusively on such applications. State of the art IT Security Management (ITSM) processes such as threat management, auditing, encryption and customer education will be used to prevent misuse and/or abuse of Finmans IT resources or services.

1. Justify how your recommendations will limit use, sharing, retention, and destruction of Finmans corporate data by Datanal and Minertek .
ITIL now known as Best Management Practice (BMP) provides Information Technology Security Management (ITSM) recommendations based on ISO 27000 series standards. These best practices established by BMP create a framework for Information Security Management (ISM). A four prong approach to ISM includes Communication Awareness Training, Rick Management, Firewall (Spam filters), and Vendors Manufacturing Agents. (Clinch, J. (2009, May)) The first step would be Communications Awareness training for all users using assets on the network. This would include Information Assurance (IA), basic computer and threat prevention training during the migration to CAC card and AD implementation. A user agreement and supervisor network access request form would be submitted for all users with proof of IA training. This agreement would state user responsibilities and penalties for violation of said agreement. Datanal will provide documentation and training resources to be distributed to all Finman organizations. Second, risk management would include the creation on auditing processes, data backup, and recovery strategies. Evaluation and modification of existing Host Based Intrusion Detection System (HBIDS), and virus detection software programs must be completed. If these systems are not in place a plan for implementation would be established. Data backup and recovery systems would be evaluated to include total solution with established disaster recovery plans and restoral processes. This would include documentation of all security tasks, audit logs and associated risks or threats. A data retention/storage program stating the length of time date is stored and ultimately disposed of must be established. Third, hardware devices such as firewalls, routers, proxy firewalls, computer based firewalls and Intrusion Detection and Protection Systems (IDPS) must be in place at all By Thomas A. Groshong Sr RLHT_Task3_2011-05-30.docx

30 May 2011

Information Security Modification Recommendations

Service Level Agreement Between Finman Account Management, LLC, Datanal Inc., and Minertek, Inc.
sites to insure threats from the outside be prevented. Firewall and routers will provide encryption external to the LAN and VPN encryption will provide external users access via a secure tunneled protocol. Evaluation of existing systems to support IPv6 modernization must be analyzed and a plan to implementation established. Change management processes would need to be created to document any changes made to these devices or systems as needed. Fourth, would be the concept of Vendors Manufacturing Agents or Partners. Each organization within Finman must be treated as a partner in the ISM process. Each organization within the company must engage in the process for a number of reasons but ultimately to protect the company from fraud, waste and abuse. The idea that a partnership must exist between organizations is vital for proper handling of assets and ultimately the intellectual property of the company. Partners would identify assets that must be protected, backed up and possible controlled. Special handling, confidential, or proprietary in nature information is best defined by the customer/partner. No one knows better than the owner of the processes when special handling is required. Data encryption at the file share or user level would be good examples of partner identified usage requirements.

2. Justify how your recommendations will assure that Finmans property, patents, copyrights, and other proprietary rights are protected.
There are three basic ISM concepts: Availability, Confidentiality, and Integrity. (Clinch, J. (2009, May)) By implementing ACLs, GPs, and TPV much of the ISM work is done. An application such as Active Directory (AD) to create user accounts and security groups for the entire Finman organization would be a good approach. By creating accounts for each user and assigning them permissions to the network based on their association or group membership. AD can be created for a companys Wide Area Network (WAN) environment to include multiple Domains and across Local Area Networks (LANs). Management of this system can be locally and/or remotely managed for a 24/7 operation if needed. Each user would receive a Common Access Card (CAC) for TVL purposes that would hold certificates for personal identification and authentication. Users would gain access to the network using CAC and Personal Identification Number (PIN) assigned individually and controlled. ACLs would prevent user access to network data or systems not authorized permission to and GPs would provide the process to manage the network systems or services along organizational structures. Virtual Private Networks (VPNs) would be established for offsite access to the LAN and would be limited to Finman provided and Datanal configured computers. Wireless access within the confines of Finman properties will be limited in scope to Finman assets and require WPA2 encryption and Radius Server access using CAC authentication. (S A N S I n s t i t u t e , I n i t i a l s . ( n . d . ) )

By Thomas A. Groshong Sr RLHT_Task3_2011-05-30.docx

30 May 2011

Information Security Modification Recommendations

Service Level Agreement Between Finman Account Management, LLC, Datanal Inc., and Minertek, Inc.
GPs would establish access to systems or services based on organizational association and group rights and/or permissions. Group security policies can be managed Domain wide and can be granular in nature to limit access and availability to specific systems, applications and data. Once the system is in place basic adds, moves and changes are automated and easily accomplished. TPV provides an independent agent to certify proof of identity and proof of electronic transactions. T h i s p r o c e s s a l l o w s a k n o w n g o o d C e r t i f i c a t e A u t h o r i t y (CA) to issue certificates that are unique to the individual. This provides authentication and integrity of the data via the digital signature of the user. Andrew Hiles states; The security services service level is that there will be no hardware or software problems and no security rules changes for the following: Managed Firewall Access, Management Firewall Hosting, IP VPN-Internet Firewallbased, and IP VPN-Internet Router-based. (Hiles, A. (2002)) These modifications to the SLA are to provide state of the art services and to follow established international standard for Information Technology (IT) and IT security. This requires these programs; change management, configuration management, incident management, backup/restoral management, and an Active Directory. Hardware solutions should be examined to provide to best security possible with the least impact on the customer Finman. Weil, S. ((2010, November)) The four prong approach discuss earlier must balance the need for security with the needs of the customer. By moving to these new technologies Finman and Datanal are making a concerted effort to meet international law, federal law and conform to excepted standards (ISO) to provide a level of security to protect Finmans patents, copyrights, and other proprietary intellectual properties. This is an aggressive program that will automate much of the security aspects discussed and provide a state of the art system. Ultimately this SLA should provide a manageable framework that establishes a strong partnership between Finman, Datanal and Minertek.

By Thomas A. Groshong Sr RLHT_Task3_2011-05-30.docx

30 May 2011

Information Security Modification Recommendations

Service Level Agreement Between Finman Account Management, LLC, Datanal Inc., and Minertek, Inc. B: References
Clinch, J. (2009, May). Best Management Practice. ITIL V3 and Information Security, Retrieved May 30, 2011, from http://www.best-managementpractice.com/gempdf/itilv3_and_information_security_white_paper_may09.pdf Hiles, A. (2002). E-business service level agreements strategies for service providers, e-commerce and outsourcing. Brookfield, Conn: Rothstein Catalog On Service Level Books. SANS Institute, Initials. (n.d.). Password Policy. Retrieved May 6, 2011, from http://www.sans.org/security-resources/policies/Password_Policy.pdf Weil, S. (2010, November). How ITIL Can Improve Information Security, Retrieved May 26, 2011 from http://www.symantec.com/connect/articles/how-itil-can-improve-information-security

By Thomas A. Groshong Sr RLHT_Task3_2011-05-30.docx