30 May 2011Information Security Modification Recommendations Service Level Agreement Between Finman Account Management, LLC, Datanal Inc., and Minertek, Inc. Upon review of the current Service Level Agreement (SLA) “A Service Level Agreement for Provision of Specified IT Services Between Finman Account Management, LLC, Datanal, Inc., and Minertek, Inc.” it has been determined that standard Information Technology (IT) security measures have not been address. Recommended changes have been added to the specific sections listed below and are highlighted in yellow. These changes are made to better protect Finman’s data, and intellectual property. Using established industrial standards such as Information Technology Infrastructure Library (ITIL), Best Management Practices (BMP) and International Organization of Standards (ISO) recommendations for proper handling, storage, and protection of IT resources. A. Recommend changes (i.e., modifications, insertions, or deletions) to the attached “Service Level Agreement” to better protect Finman’s data and intellectual property. Section 3 Background and Rationale Modifications: Finman views this SLA as a groundbreaking venture to harness the diverse array of IT-borne customer demands and opportunities that cannot be met by adhering to traditional paradigms. Finman’s objectives in the SLA are to compete more effectively in a highly competitive industry by offering its customers a unified IT management plan across an entire organization or even, if the customer wishes, across separate departments and divisions. Datanal, utilizing sophisticated data-mining software developed by Minertek, will recognize and integrate common IT characteristics from disparate operations, programs, procedures, and products— even those located in separate and unrelated service areas. This enables the customer to reduce or eliminate duplicate, parallel systems and to achieve economies of scale and open new opportunities. The consolidation of assets will require a review of existing hardware systems, applications, and network authentication processes. Datanal will establishment an Access Control List (ACL) system and create Group Policies (GP) to provide authentication and authorization to resources for users of network resources. Establishment of a Third Party Verification (TPV) process for users will provide confidentiality and integrity to meet current industry standards. Data storage integrity shall been reviewed and the establishment of a backup solution that will be compliant with industry standards. Datanal will insure Information Security (IS) will be improved to be compliant with International Trade Agreements, Federal patient laws, copyright laws and fair trade agreements. By Thomas A. Groshong Sr RLHT_Task3_2011-05-30.docx Justify how your recommendations will limit use. and Minertek. If these systems are not in place a plan for implementation would be established. and profitability. auditing. and virus detection software programs must be completed.. This would include documentation of all security tasks. retention. Rick Management. 1. Groshong Sr RLHT_Task3_2011-05-30. Inc. May)) The first step would be Communications Awareness training for all users using assets on the network. data backup. sharing. LLC. and Vendors Manufacturing Agents. (2009. computer based firewalls and Intrusion Detection and Protection Systems (IDPS) must be in place at all By Thomas A. Datanal Inc. Firewall (Spam filters). basic computer and threat prevention training during the migration to CAC card and AD implementation. and recovery strategies. ITIL now known as Best Management Practice (BMP) provides Information Technology Security Management (ITSM) recommendations based on ISO 27000 series standards. higher productivity. A user agreement and supervisor network access request form would be submitted for all users with proof of IA training. A four prong approach to ISM includes Communication Awareness Training. (Clinch. This agreement would state user responsibilities and penalties for violation of said agreement. These best practices established by BMP create a framework for Information Security Management (ISM).docx . advanced state-of-the-art IT affords extraordinary opportunities for greater efficiencies. A data retention/storage program stating the length of time date is stored and ultimately disposed of must be established. Sophisticated IT applications realize their full potential with highly specialized technical knowledge and management skills readily available only in smaller firms focused primarily or exclusively on such applications. risk management would include the creation on auditing processes.30 May 2011 Information Security Modification Recommendations Service Level Agreement Between Finman Account Management. Third. skilled management. routers. Datanal will provide documentation and training resources to be distributed to all Finman organizations. hardware devices such as firewalls. This would include Information Assurance (IA). Data backup and recovery systems would be evaluated to include total solution with established disaster recovery plans and restoral processes. audit logs and associated risks or threats. cost reduction. encryption and customer education will be used to prevent misuse and/or abuse of Finman’s IT resources or services. Section 4 Statement of Intent Modifications: As recognized by leading research and consulting firms with knowledgeable. State of the art IT Security Management (ITSM) processes such as threat management. Second. customer satisfaction. Evaluation and modification of existing Host Based Intrusion Detection System (HBIDS). and destruction of Finman’s corporate data by Datanal and Minertek . proxy firewalls. J. ACLs would prevent user access to network data or systems not authorized permission to and GPs would provide the process to manage the network systems or services along organizational structures. Users would gain access to the network using CAC and Personal Identification Number (PIN) assigned individually and controlled. d . ( n .30 May 2011 Information Security Modification Recommendations Service Level Agreement Between Finman Account Management. ) ) By Thomas A. An application such as Active Directory (AD) to create user accounts and security groups for the entire Finman organization would be a good approach. Each user would receive a Common Access Card (CAC) for TVL purposes that would hold certificates for personal identification and authentication. Confidentiality. (S A N S I n s t i t u t e . Each organization within the company must engage in the process for a number of reasons but ultimately to protect the company from fraud. Virtual Private Networks (VPNs) would be established for offsite access to the LAN and would be limited to Finman provided and Datanal configured computers. Fourth. and TPV much of the ISM work is done.docx . backed up and possible controlled. (Clinch. LLC. I n i t i a l s . May)) By implementing ACLs. waste and abuse. 2. would be the concept of Vendors Manufacturing Agents or Partners. Wireless access within the confines of Finman properties will be limited in scope to Finman assets and require WPA2 encryption and Radius Server access using CAC authentication. Change management processes would need to be created to document any changes made to these devices or systems as needed. sites to insure threats from the outside be prevented. Datanal Inc. Each organization within Finman must be treated as a partner in the ISM process. or proprietary in nature information is best defined by the customer/partner. and Minertek. and Integrity. GPs. Partners would identify assets that must be protected. Firewall and routers will provide encryption external to the LAN and VPN encryption will provide external users access via a secure tunneled protocol. There are three basic ISM concepts: Availability. Special handling. Management of this system can be locally and/or remotely managed for a 24/7 operation if needed. Inc. Justify how your recommendations will assure that Finman’s property. The idea that a partnership must exist between organizations is vital for proper handling of assets and ultimately the intellectual property of the company.. Evaluation of existing systems to support IPv6 modernization must be analyzed and a plan to implementation established. patents. No one knows better than the owner of the processes when special handling is required. Data encryption at the file share or user level would be good examples of partner identified usage requirements. copyrights. (2009. and other proprietary rights are protected. By creating accounts for each user and assigning them permissions to the network based on their association or group membership. J. confidential. Groshong Sr RLHT_Task3_2011-05-30. AD can be created for a company’s Wide Area Network (WAN) environment to include multiple Domains and across Local Area Networks (LANs). This provides authentication and integrity of the data via the digital signature of the user. TPV provides an independent agent to certify proof of identity and proof of electronic transactions. Groshong Sr RLHT_Task3_2011-05-30. By Thomas A. GPs would establish access to systems or services based on organizational association and group rights and/or permissions. LLC. copyrights. and Minertek. Once the system is in place basic adds. and other proprietary intellectual properties. federal law and conform to excepted standards (ISO) to provide a level of security to protect Finman’s patents.. This is an aggressive program that will automate much of the security aspects discussed and provide a state of the art system. and an Active Directory. This requires these programs. Inc. By moving to these new technologies Finman and Datanal are making a concerted effort to meet international law. IP VPN-Internet Firewallbased. Datanal Inc. “The security services service level is that there will be no hardware or software problems and no security rules changes for the following: Managed Firewall Access. Weil. change management.” (Hiles. Andrew Hiles states. November)) The four prong approach discuss earlier must balance the need for security with the needs of the customer. Hardware solutions should be examined to provide to best security possible with the least impact on the customer Finman. S. A. configuration management. (2002)) These modifications to the SLA are to provide state of the art services and to follow established international standard for Information Technology (IT) and IT security.30 May 2011 Information Security Modification Recommendations Service Level Agreement Between Finman Account Management. ((2010. moves and changes are automated and easily accomplished. Group security policies can be managed Domain wide and can be granular in nature to limit access and availability to specific systems. T h i s p r o c e s s a l l o w s a k n o w n g o o d C e r t i f i c a t e A u t h o r i t y (CA) to issue certificates that are unique to the individual. applications and data.docx . incident management. Ultimately this SLA should provide a manageable framework that establishes a strong partnership between Finman. and IP VPN-Internet Router-based. backup/restoral management. Datanal and Minertek. Management Firewall Hosting. S.org/security-resources/policies/Password_Policy.docx .pdf Weil. Retrieved May 30. (2002).best-managementpractice. Inc. (2009. Retrieved May 6. B: References Clinch. November).pdf Hiles. Best Management Practice. 2011 from http://www. e-commerce and outsourcing.d. A. J.sans. LLC.com/gempdf/itilv3_and_information_security_white_paper_may09.com/connect/articles/how-itil-can-improve-information-security By Thomas A. (n. ITIL V3 and Information Security. from http://www. May). 2011. 2011. Conn: Rothstein Catalog On Service Level Books. How ITIL Can Improve Information Security.30 May 2011 Information Security Modification Recommendations Service Level Agreement Between Finman Account Management. from http://www. Groshong Sr RLHT_Task3_2011-05-30.symantec.. SANS Institute. Retrieved May 26.). and Minertek. Brookfield. Password Policy. Datanal Inc. E-business service level agreements strategies for service providers. (2010. Initials.