Security Plan for Solomon Enterprises

Abstract

This paper looks at how Solomon Enterprises conducts its business (business model) and its current security tools and controls in place. Since Solomon Enterprises’ business model requires it to have an IT infrastructure to process, store, and retrieve information for their internal stakeholders, customers, and external users, this paper evaluates their current IT system and network security policies and controls in place and looks at various possible administrative, physical, and technical controls, security policies, legislations/regulations, and network security tools that will affect and aid the creation of a robust security plan resulting in a more secure network and a much secure overall IT infrastructure. Keywords:  Security Plan, Solomon Enterprises, Tools and Controls

Security Plan for Solomon Enterprises

Solomon Enterprises is an online health insurance provider which employees 500 people across five different locations in the USA. The health insurance can be bought online via their website. The company generates $200 million in annual revenue through their online business model which is a target for hackers and criminals. They have one central database/data center located in West Virginia and regional offices in Florida, Texas, Arizona, Montana, and Missouri.  Customers, clients, and users can have access to website through the Internet. Company implemented a disaster recovery site which is in Billings, Montana.  Solomon Enterprises provide VPN connections for users to work remotely on an encrypted connection. They have a firewall service implemented in their central data center and each regional office has a firewall to monitor traffic and keep unauthorized access from the facility. Employees are assigned by company issued devices to work on in the office and laptops for remote access.  All these devices are running Windows XP and the server is running Windows 2003. As part of the regulatory requirements, Solomon enterprises complies with HIPAA which protects information in electronic form and ensures that electronic protected insurance information is secure. Currently, Solomon enterprises security business model consists of security controls which are administrative controls, logical controls, physical controls and operational controls. “As part of administrative controls, password policy, hiring policy, employee training and security awareness training” (Clarke, 2014) are being implemented.  Issues regarding background check, training and awareness, recovery strategies need to be addressed. “Technical controls include firewalls, encryption, passwords and intrusion detection systems” (Clarke, 2014) are implemented in the company. Smartcards, network authentication and Access control list issues need to be addressed. “Physical controls include doors, locks, fences, security guards, lockdown cables and video surveillance equipment” (Clarke, 2014) are already part of the physical facility. Surveillance, alarm system and safeguard issues need to be addressed. Solomon enterprises are facing issues regarding Information security which is to protect the company’s proprietary information. We have come up with some significant changes and updates in Solomon enterprises’ security business model which ensures online transaction’s safety, data confidentiality and continuous operations.

Administrative Controls

As per Jahoda, Krátký, Prpič, Čapek, Wadeley, Ruseva, Svoboda (2017) “Administrative controls define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information”.

Background Check

It is ending up more typical for specialists of numerous sorts to firmly suggest exhaustive personal investigations (Hammer, 2016). A background check can help Solomon in many ways. The following are the reasons to conduct a background check (Hammer, 2016):

• Reduce theft and embezzlement (Hammer, 2016)
• Limit legal exposure for negligent hiring and retention (Hammer, 2016)
• Increase applicant quality (Hammer, 2016)
• Check for potential discipline problems (Hammer, 2016)
• Verify application information (Hammer, 2016)
• Decrease insurance costs (Hammer, 2016)
• Discover drug or alcohol problems in applicant (Hammer, 2016)
• Decrease workplace violence (Hammer, 2016)
• Discourage applicants who have something to hide (Hammer, 2016)
• Limit uncertainty in the hiring process (Hammer, 2016)
• Enable the company to know who it is hiring (Hammer, 2016)

Employers have found that Database Criminal Record looks are loaded with blunders and are not superior to anything no individual verification by any stretch of the imagination. In the event that utilized legitimately, databases can be an incredible research instrument; however, they are never a genuine record verification independent from anyone else (Hammer, 2016). Background checks now usually incorporate region criminal record checks for areas of school, work, living arrangement, and their neighboring districts (Hammer, 2016). A heap of different screens, checks, and quests are accessible to the business. These incorporate Credit Checks, Driving Record Checks, Drug Screening, and Skills Testing (Hammer, 2016).

Recovery Strategies

A disaster recovery strategy should begin at the business level and figure out which applications are most critical to running the association. The RTO portrays the objective measure of time a business application can be down, commonly measured in hours, minutes or seconds. In deciding a recuperation methodology, associations should consider such issues as budget, resources - individuals and physical offices, management's position on dangers, technology, data, and suppliers.

Training and Awareness

Today, new-school security mindfulness preparing is an absolute necessity on the off chance that you need to ensure your system against ransomware, CEO Fraud and other social building assaults. Workers are presented to complex (stick) phishing assaults and need to detect the Red Flags identified with suspicious messages. You can make a "human firewall" that is extremely compelling in spotting and revealing phishing assaults if your security mindfulness preparing isn't only a yearly preparing however incorporates month to month mimicked phishing assaults which keeps your clients on their toes with security best of brain (Kosutic, 2015).

Physical Controls

As per Jahoda et al. (2017) “The Physical control is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material”. The following physical controls will be used in Solomon Enterprises’ facilities across the United States to deter and prevent unauthorized access to its information databases (Jahoda et al., 2017):

Closed-circuit Surveillance Cameras

Closed circuit television cameras, or CCTVs are robust cameras that can withstand bad weather and vandalism to a certain extent. Live feed from the cameras are fed into a CCTV system which backs up the videos on a digital/analog media for future use.

Motion or Thermal Alarm Systems

Motion or thermal alarm systems work by detection motion, and/or heat signatures given out by organic bodies, such as humans, animals etc., or inanimate objects like vehicles, etc. The camera sounds an alarm and alerts proper authorities in case of an intrusion.

Security Guards

Security guards can play the role of the first line of defense. When posted at critical entrances, they can check for any unusual or suspicious behaviors and take appropriate actions to deter or prevent an unauthorized activity about to happen.

Picture IDs

Picture IDs are the most basic form of authentication. A security guard or a scanner can check whether the person presenting a picture ID is who they claim to be. This can also be considered as a first line of defense against unauthorized access.

Technical Controls

Technical controls address the technical and tactical issues related to design and implementation of security measures in an organization and also deals with the issues related to examining and selecting the technologies that deal with safeguarding the data (Jahoda, Krátký, Prpič, Čapek, Wadeley, Ruseva, Svoboda, 2017). Some of the controls are explained below:

Encryption

Encryption is the process of encoding information that only authorized users can access. Encryption of data in a network is implemented through Internet Protocol Security (IPSec). The most famous encryption algorithms are AES, 3DES, RC4. This encryption can be implemented between the disaster recovery site and their data center, also from the data-center to the end user to provide maximum security for the data and the information (Rouse, 2007).

Smart Cards

Smart cards are small plastic cards that contain integrated circuits that save user’s certificates and passwords (Microsoft, n.d.). Smart cards can be used to provide strong user authentication for security solutions. It includes secure logging over a network, web connection and secure email. The employees of Solomon Enterprises are using systems with Windows XP and Windows 2003 server, and these servers support logging in with the smart card authentication by using EAP-TLS extension for Point to Point Protocol. The user is prompted to insert the Smart card and a PIN number when they are using EAP-TLS.

Firewalls

As Solomon Enterprises currently has a firewall in place between their data-center and their regional offices to restrict unauthorized access, it will be more secure if they migrate to the next-generation firewalls. Recently most companies are implementing next-generation firewalls to restrict and block modern threats like advanced malware and application layer attacks. According to Gartner, Inc.’s (2009) definition, a next-generation firewall must include

• Standard firewall capabilities like state-full inspection
• Integrated intrusion prevention
• Application awareness and control to see and block risky apps
• Upgrade paths to include future information feeds
• Techniques to address evolving security threats

Security Policies

This Security approach archive characterizes regular security prerequisites for all Solomon Enterprises faculty and frameworks that make, look after, store, access, process or transmit data. This approach likewise applies to data assets claimed by others, for example, contractual workers of the Solomon Enterprises. This approach covers the Solomon Enterprises arrange framework which is included different equipment, programming, correspondence hardware and different gadgets intended to help the Solomon Enterprises in the creation, receipt, stockpiling, preparing, and transmission of data. This definition incorporates gear associated with any Solomon Enterprises space or VLAN, either hardwired or remotely, and incorporates all remain solitary hardware that is sent by the Solomon Enterprises at its office areas or at remote regions (National learning consortium, 2011). The following are the employee requirements according to National learning consortium (2011):

Electronic communication, E-mail and Internet Usage

The Solomon Enterprises holds the right, at its watchfulness, to survey any worker's documents or electronic interchanges to the degree important to guarantee every single electronic medium and administrations are utilized as a part of consistence with every single material law and controls and in addition Practice arrangements.

Identification and Authentication Requirements

The host security administration program should keep up current client application action approvals. Each underlying solicitation for an association or a session is liable to the approval procedure beforehand addressed.

Network Connectivity

The security of Solomon Enterprises frameworks can be imperiled from outsider areas if security practices and assets are deficient. At the point when there is a need to associate with an outsider, a hazard investigation ought to be led. The hazard investigation ought to consider the sort of access required, the estimation of the data, the safety efforts utilized by the outsider, and the suggestions for the security of Solomon Enterprises frameworks. The Privacy Officer or proper work force ought to be associated with the procedure, plan, and endorsement.

Encryption key

An encryption key determines the specific change of plain content into figure content, or the other way around amid decoding. Secure information and records should be scrambled before being transmitted through systems. At the point when scrambled information are exchanged between offices, the organizations might devise a commonly pleasing strategy for secure key administration. Because of contention, the Solomon Enterprises should set up the criteria in conjunction with the Privacy Officer or suitable work force. The Solomon Enterprises utilizes a few techniques for secure information transmission (National Learning Consortium, 2011).

SSL Certificates

When anyone accesses Solomon Enterprises safe SSL site, they must be asked for utilizing the Network Access Request and have fitting endorsement from the administrator or office head and additionally the Privacy Officer or proper faculty before any entrance is concede (National Learning Consortium, 2011).

Legislation and Regulations

In addition to trade with federal initiatives, many public and private insurers have been affected by technological developments that have instigated the rearrangement of fiscal resources in the health insurance marketplace. To avoid the legislation and regulation causes and effects which our organization may face, we are taking up some special acts which help to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes, between its several components, privacy and security rules. These rules effort on Protected Health Information (PHI) and electronic PHI (ePHI) congregated in the healthcare process and command the calibration of electronic transactions, code sets, and identifiers. The privacy and security rules are comprehensive and inflexible (Noblett, 2006). The HIPAA defends health insurance coverage for workers and their families when they change or lose their jobs, entails the formation of national ethics for electronic health care transactions, and necessitates establishment of national identifiers for providers, health insurance plans, and employers (Noblett, 2006). The HHS Office for Civil Rights administers the HIPAA Privacy and Security Rules. The HIPPA rule defines what information is threatened and how protected evidence can be used and revealed. HIPAA describes who is covered by the HIPAA privacy protections and what safeguards must be in place to ensure proper protection of electronic protected health information (Vinson, 2013).

Health Information Technology for Economic and Clinical Health (HITECH)

The Office of the National Coordinator for Health Information Technology’s (ONC) effort on health IT is lawful by the Health Information Technology for Economic and Clinical Health (HITECH) Act (Vinson, 2013). The HITECH act recognized ONC in law and provides the U.S. Department of Health and Human Services with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records (EHRs) and private and secure electronic health information exchange (Vinson, 2013). Even though the regulation emphases on the healthcare industry, other companies can be obstructed if they engage in certain events, such as the management of employee group health plans, or if they offer services to companies that are directly wedged by the regulation (Noblett, 2006). ONC authors regulations that set the standards and certification principles EHRs must meet to pledge health care professionals and hospitals that the systems they assume can perform certain functions. The ONC HIT Certification Program also supports the Medicare and Medicaid EHR Incentive Programs, which afford financial incentives for “meaningful use” of certified EHR technology (Noblett, 2006).

Network Security Tools

As per Mike D. Schiffman (2003), a network security tool is an algorithm designed to probe, assess, and/or increase the overall security and safety of a communications network. They can also be used to mitigate the risk associated with a network communication by assisting in auditing for security compliance purposes.

Network Security Tool Classification

Network security tools can be classified into four classes as explained below (Schiffman, 2003):

Active reconnaissance tools

Network security tools under this type of class are used to collect information about a network and help the user running the tool to learn more about a network entity. The tools achieve this by doing something that can be detected. An example would be sending traffic over a network and then waiting for a response. Active reconnaissance tools in majority of the cases do not change a network entity’s state in any way, and when they do, the change is very small. Examples include port scanning, IP expiry, etc.

Passive reconnaissance tools

Network security tools under this type of class are also used to collect information but work in the opposite way. Where active reconnaissance tools send traffic over a network and listen to the response, passive reconnaissance tools achieve information gathering by receiving and analyzing unsolicited traffic on a network. Since passive reconnaissance tools only receive traffic, they do not change any state on the network entity in question. Examples include packet sniffing, etc.

Attack and penetration tools

Network security tools under this type of class are also used to test and expose vulnerabilities in a network. The tools achieve this by exploiting and attacking a specific vulnerability or a set of vulnerabilities. Tools under this class aid the tester/attacker gain unauthorized access to a network entity by breaking into it. Tools under this class need periodic updates since vulnerabilities are often patched as soon as they are found. Examples include vulnerability scanning and testing software.

Defensive tools

Network security tools under this type of class are used to keep network entities safe from threats. The tools achieve this by using encryption to encrypt data sent on the network, implementing watchdogs for any unsolicited or unwanted traffic on the network and/or by blocking/filtering network traffic based on user defined criteria. Examples include intrusion detection, firewalling, encryption, etc.

Network Security Tools Examples

Packet Sniffer

Packet sniffers work by capturing and logging system activity that they can 'see' by means of the wired or remote system interface that the parcel sniffing programming approaches on its host PC. On a wired network, what can be captured depends upon the structure of the system. A parcel sniffer may have the capacity to see activity on a whole system or just a specific section of it, contingent upon how the system switches are designed, put, and so forth. On remote systems, parcel sniffers can normally just catch one channel at any given moment unless the host PC has different remote interfaces that take into consideration multichannel catch (O’Donnell, 2017). The most popular Packet sniffing tool is Wireshark.

Port Scanner

It is like a criminal experiencing your neighborhood and checking each entryway and window on each house to see which ones open and which ones are bolted. Port Scanning programming, in its most essential state, just conveys a demand to interface with the objective PC on each port successively and makes a note of which ports reacted or appear to be interested in additional top to bottom testing. If the port scan is being finished with malicious purpose, the gatecrasher would for the most part like to go undetected. System security applications can be arranged to ready executives if they distinguish association asks for over an expansive scope of ports from a solitary host. To get around this the interloper can do the port output in strobe or stealth mode (Bradley, 2017). One of the Port Scanning Tool is Angry IP Scanner.

Vulnerability Scanning

Like Packet sniffing, Port Scanning and other Security Tools, Vulnerability Scanning can enable you to secure your own system or it to can be utilized by the awful folks to recognize shortcomings in your framework to mount an assault against. The thought is for you to utilize these devices to distinguish and settle these shortcomings previously the awful folks utilize them against you. The objective of running a Vulnerability Scanning is to recognize gadgets on your systems that are interested in known vulnerabilities (Bradley, 2017). One of the Vulnerability Scanning Tool is Nexpose Community Edition.

Intrusion Detection System

An Intrusion Detection System (IDS) screens organize movement and screens for suspicious action and alarms the framework or system manager. Now and again, the IDS may likewise react to anomalous or malicious activity by making a move, for example, obstructing the client or source IP address from getting to the system. IDS arrive in an assortment of "flavors" and approach the objective of recognizing suspicious activity in various ways (Bradley, 2017). One of the IDS tools is ArcSight Enterprise Security Manager (ESM).

Conclusion

To conclude, it can be said that by implementing various tools and methodologies mentioned in different sections of the paper, Solomon Enterprises can benefit greatly in terms of overall increased security of its facilities and data. With its current security systems upgraded and new ones installed, Solomon Enterprises can be sure that majority of unauthorized accesses to its systems will be caught and dealt with.

References

• Clarke, G. E. (2014). CompTIA Security+ Certification Study Guide. New York: McGraw-Hill Education
• Kosutic, D. (2015). 8 Security Practices to Use in Your Employee Training and Awareness Program. Retrieved from https://www.tripwire.com/state-of-security/security-awareness/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
• Hammer, G. (n.d.). The Growing Trend to Thorough Background Checks. Retrieved from http://www.amof.info/thorough.htm
• Rouse, M. (2017). Network Encryption. Retrieved from http://searchsecurity.techtarget.com/definition/network-encryption
• Jahoda, M., Krátký, R., Prpič, M., Čapek, T., Wadeley, S., Ruseva, Y., Svoboda, M., (2017). A Guide to Securing Red Hat Enterprise Linux. Red Hat, Inc.
• Microsoft (n.d.). Security with Smart Cards. Retrieved from https://technet.microsoft.com/en-us/library/cc962052.aspx
• Vinson. (2013). Health IT Legislations and Regulations. Retrieved from https://www.healthit.gov/policy-researchers-implementers/health-it-legislation
• Schiffman, M. D. (2003). Building Open Source Network Security Tools. Indianapolis: Wiley Publishing Inc.
• Lyon, G. (n.d.). SecTools.Org: Top 125 Network Security Tools. Retrieved from http://sectools.org/.
• National Learning Consortium (2011). About the National Learning Consortium. Retrieved from https://www.healthit.gov/providers-professionals/national-learning-consortium
• O’Donnell, A. (2017). What are Packet Sniffers and How Do They Work?. Retrieved from https://www.lifewire.com/what-is-a-packet-sniffer-2487312
• Bradley, T. (2017).Introduction to Port Scanning. Retrieved from https://www.lifewire.com/introduction-to-port-scanning-2486802
• Bradley, T. (2017).Introduction to Intrusion Detection Systems. Retrieved from https://www.lifewire.com/introduction-to-intrusion-detection-systems-ids-2486799
• Bradley, T. (2017).Introduction to Vulnerability Scanning. Retrieved from https://www.lifewire.com/introduction-to-vulnerability-scanning-2486798