By: Irik Ravenblade IT541-01 Kaplan University Professor: Dr. Lynne Williams 9/10/2013 UNIT 6 ASSIGNMENT 2
Part 1: Unit 6 Lab Premier Collegiate School Risk Elements There are numerous risk elements involving the Premier Collegiate School's IT assets, including: The school principal's notebook computer is used for personal tasks as well as school business, providing an additional avenue for compromise (via malware, accidental disclosure of student information, etc.); its use with social media sites further compounds this risk. Additionally, there is a risk that the notebook computer (along with sensitive data stored in it) may become lost or stolen. A well defined Acceptable Use Policy (AUP) should be observed, security awareness training provided, user authentication required, mandatory antivirus and patch updates applied, and encryption used to mitigate the risks involved. Students are required to possess laptops for wireless use on the school network, and are vulnerable to the same risks as the principal's notebook computer; the security measures listed above should be used. The computers in the teacher's lounge are shared. In addition to restricted access to the lounge, the computers should required separate user accounts and passwords, as well as security and antivirus software. The two file servers host sensitive data and mission-critical services. Servers should have restricted physical and logical access, require regular maintenance and auditing, and should be a part of disaster recovery planning. UNIT 6 ASSIGNMENT 3
The computers in the computer science lab are shared desktops and should required separate user accounts and passwords, as well as security and antivirus software. The school network has wireless access. Although the network's wired access shares similar vulnerabilities, wireless is particularly vulnerable to packet sniffing, interception, and "piggybacking". It is recommended to disable SSID broadcasting and utilize network encryption (at least WPA2) for wireless access. Both wireless and wired access should use authentication and authorization, Firewalls, and ACLs, and have a monitoring and auditing policy in place. IT Asset Inventory Matrix IT Asset Rank Domain FERPA Privacy Data Impact Assessment 10 Dedicated Admin. Computers 6 Workstation Yes. Security Controls include Authentication, Access Control Lists (ACLs), and Permissions Critical Principal's Notebook Computer 7 Workstation/Remote Access Yes. Security Controls include Authentication, Access Control Lists (ACLs), Permissions, and Encryption Critical 10 Shared Computers (Teacher's Lounge) 12 Workstation Yes. Security Controls include Authentication, Access Control Lists (ACLs), and Permissions; Physical access would be restricted by locked entry Major Administrative File Server 2 System/Applications Yes. Security Controls include Authentication, Access Control Lists (ACLs), and Permissions; Physical access would be restricted by locked entry Critical Dedicated Storage (Admin. Server) 5 System/Applications Yes. Security Controls include Authentication, Access Control Lists (ACLs), Permissions, and Encryption; Physical access would be restricted by locked entry Critical Wired/Wireless LAN access (Admin. Server) 8 LAN No. Although Security Controls would include Authentication, Access Control Lists (ACLs), and Major UNIT 6 ASSIGNMENT 4
MAC filtering Network Devices (Firewalls, Routers, and Switches) 4 LAN-to-WAN No. Although Security Controls would include Authentication, Access Control Lists (ACLs), and web filtering. Critical Student File Server 3 System/Applications Yes. Security Controls include Authentication, Access Control Lists (ACLs), Permissions, and Encryption; Physical access would be restricted by locked entry Critical Student Applications (Student Server) 9 System/Applications No access would be granted to private data through student applications, workstations, or laptops; authentication would be required to access student coursework Major Wireless LAN Access (Student) 13 LAN No. Although Security Controls would include Authentication, Access Control Lists (ACLs), and MAC filtering Major Student Laptops 17 Workstation * Remote Access (if supported off-campus) No access would be granted to private data through student applications, workstations, or laptops; AUP would address security controls and practices for LAN or remote access Major 25 Desktop Computers (Computer Lab) 18 Workstation No access would be granted to private data through student applications, workstations, or laptops; authentication would be required to access student coursework Minor Student Records 1 System/Applications Yes. Security Controls include Authentication, Access Control Lists (ACLs), Permissions, and Encryption; Physical access would be restricted by locked entry Critical Lesson Plans 11 System/Applications No, lesson plans would not be student specific and would not be covered by FERPA. However, Security Controls would include Authentication, Access Control Lists (ACLs), and Permissions Major Test Banks 10 System/Applications Yes. Security Controls include Authentication, Access Control Lists (ACLs), Permissions, and Encryption; Physical access would be restricted by locked entry Major Administrators 14 User Access would be granted Major UNIT 6 ASSIGNMENT 5
according to role, and disclosure to a third party requires a consent form signed by the student; Security Controls would include Authentication, Access Control Lists (ACLs), and Permissions Instructors 15 User Instructor access would be limited to minimum permissions required to perform their duties; Security Controls would include Authentication, Access Control Lists (ACLs), and Permissions Major Students 16 User Student would be granted access with valid identification and sign consent form Major
Recommendations 1) Use the principle of least privilege for access control, and encryption for all sensitive data. 2) Provide security awareness training to all users, and implement a comprehensive AUP that includes password and Internet usage policies 3) Perform regular monitoring and auditing of network and system assets, and require up-to- date software patches and anti-malware definitions. UNIT 6 ASSIGNMENT 6
Part 2: Unit 6 Lab Assessment 1. Which IT assets did you prioritize as critical to administrative or student computing? The IT assets I prioritized as critical to administrative or student computing included: Student Records Dedicated Administrative Computers Administrative File Server Dedicated Storage (on the Administrative File Server) Student File Server Network Devices (Firewalls, Routers, And Switches) Principal's Notebook Computer 2. List your top five (5) risk exposures for which you believe this school should have specific risk mitigation strategies. My top five (5) risk exposures include: 1) Wireless LAN - Unauthorized access to LAN and network resources 2) Principal's notebook computer - may get lost or stolen; may be exposed to malware; potential unauthorized physical access 3) Shared computers in the teacher's lounge - may be exposed to malware or unauthorized physical access 4) Students' laptops - may get lost or stolen; may be exposed to malware; potential unauthorized physical access UNIT 6 ASSIGNMENT 7
5) Shared computers in the computer lounge - may be exposed to malware or unauthorized use (Kim & Solomon, 2012). 3. Given the potential risks that you identified, what IT security policies would you recommend be created by the school to help mitigate each of the identified risk exposures you listed in #2 above? Security policies to help mitigate identified risks include: A comprehensive Acceptable Use Policy (AUP) should be implemented, including security best practices for: effective authentication and authorization practices; proper email and Internet use; prohibition of inappropriate content; observance of legal statute or law; and prohibition on unauthorized disclosure of sensitive information. and required system and security maintenance Security awareness training should be provided to all users Information contained on school systems should be classified, with sensitive information stored and transmitted using encryption; Disclosure of sensitive or confidential information is strictly prohibited All desktop computers and laptops should be password protected, and should be locked or logged off when unattended; sensitive information on laptops must be encrypted. Passwords should be alpha-numeric, contain special characters, and at least 8 characters in length; passwords should be changed at least quarterly. Accounts and passwords must never be shared. UNIT 6 ASSIGNMENT 8
All computers and laptops should use approved, up-to-date antivirus software, and all software be up-to-date Access control and permissions should use the least privilege principle Regular monitoring and auditing of network and system assets should be performed Network access controls should include mechanisms for authentication and authorization, Access Control Lists (ACLs), and firewalls Physical security should be implemented to secure mission-critical systems, including a secured server room, locks on entryways to the teacher's lounge, monitored use on the computer lab workstations, and video surveillance in key areas of the campus (Dulaney, 2009; Kim & Solomon 2012). 4. True or False. FERPA Compliance law is about protecting the privacy data of students including personal information, grades, and transcripts. The law itself defines a privacy requirement but it does not specifically address security controls and security countermeasures. True. While the law defines the scope of privacy requirements, including provisions for disclosure, it does not specify which security controls and countermeasures must be implemented (Kim & Solomon, 2012).
UNIT 6 ASSIGNMENT 9
5. Given that student privacy data is typically housed within administrative computers, systems, and databases, what can you do to mitigate the risk exposure that a student or someone on the student or schools network can access these systems? There are a number of security control mechanisms and practices that can be used to mitigate the risk of exposure to unauthorized access. Access control with strong authentication mechanisms can help secure student privacy data, such as Role-Based Access Control (RBAC) combined with multi-factor authentication; access and computer/network activity should be logged and audited regularly (Dulaney, 2009). Security zoning through access control lists (ACLs) and virtual local area networking (VLAN) can be used to isolate sensitive data and mission-critical systems; likewise, firewalls can be implemented as a perimeter defense for school network systems, and can be used to create a demilitarized zone (DMZ) for providing a buffer between the school systems and un-trusted networks (Dulaney, 2009). Additional countermeasures could include physical security such as secured rooms, locked entryways, video surveillance, and security personnel (Dulaney, 2009). 6. For a school under FERPA compliance law, do you think the administrative computing or students computing network infrastructure is more important from a business and delivery of education perspective? In regards to FERPA compliance, the administrative systems hold higher priority because they house or directly integrate student information, and support the network infrastructure and services. Federal funding can be crucial for maintaining educational services and day-to-day operations; in order to receive federal funding, Premier Collegiate School must meet all FERPA requirements and protect its student records, particularly personally identifiable information or UNIT 6 ASSIGNMENT 10
indirect information that can be used to identify a student (Kim & Solomon, 2012). By contrast, student systems would be essential for maintaining the educational curriculum, but would not have access to private student information with proper security zoning and access control implemented, and therefore would have lesser importance in context with FERPA compliance. 7. The school monitors the use of student social networking on Facebook, MySpace, and Twitter. What should the school define and implement if it wants to define acceptable and unacceptable use of school IT assets, Internet, e-mail and use of personal laptop computers on the schools network? Premier Collegiate School should implement a comprehensive AUP in regard to the use of school resources (including devices that connect to the school network). This AUP should include best practices for email and Internet use; prohibition of inappropriate content or illegal activity; and requirements for strong password policy, antivirus and software updates, and secure account handling, as well as monitoring policies (Dulaney, 2009). In regard to social networking activity, the AUP should also stipulate confidentiality requirements, and prohibit offensive or illegal content and activity; additionally, the UAP should include times allowed (if any) for personal use on the school network. Additionally, the AUP should require that all computers and laptops connecting to the school network have authorized antivirus software installed and regularly updated. Another mitigation technique includes security awareness education against social engineering attacks (Stallings & Brown, 2008).
UNIT 6 ASSIGNMENT 11
References Dulaney, E. (2009). CompTIA Security+ Study Guide. Indianapolis, IN: Wiley Publishing, Inc. Kim, D., & Solomon, M. G. (2012). Fundamentals of Information Systems Security. Sudbury, MA: Jones & Bartlett Learning. Stallings, W., & Brown, L. (2008). Computer security: Principles and practice (2nd ed.). Upper Saddle River, NJ: Pearson Education, Inc.