please review the rubric and attachments
CYB 230 Project Three Guidelines and Rubric 1 CYB 230 Project Three Guidelines and Rubric Network System Security Plan Recommendation Overview The goal of any security practitioner is a secure network, so it’s essential to have an in-depth understanding of how various components can introduce security vulnerabilities and mitigate security risks. Practitioners must be able to analyze networks, identify deficiencies, and make recommendations to protect the system. In this project, you will be making recommendations for specific components based on your systems-level analysis of a network. The project will be submitted in Module Seven. You will demonstrate your mastery of the following course competency: CYB-230-01: Identify and troubleshoot deficiencies related to IT-system component security Scenario During its annual review of IT systems, Helios Health Insurance has realized that it lacks the in-house expertise to update its network system security plan. The organization has therefore hired a consultant to assist in this process. You will assume the role of this security consultant, tasked with updating the organization’s network system security plan by identifying deficiencies and recommending mitigation solutions. In order to help you make your recommendations, you have been provided with the current Helios Network System Security Plan and the Helios Network Diagram. Both documents can be found in the Project Three Submission task in Module Seven of your course. Prompt After reviewing the network system security plan and the network diagram, select a security objective (confidentiality, integrity, or availability) as the focus for your analysis and recommendations. Then prepare a report to communicate the system’s deficiencies and your recommendations to the organization’s security team. Specifically, you must address the critical elements listed below. The codes shown in brackets indicate the course competency to which each critical element is aligned. A. Identify a hardware-based deficiency in the system and explain why this is an issue, based on your selected security objective. [CYB-230-01] B. Recommend a method to remediate the hardware-based issue and protect the system. [CYB-230-01] C. Identify a software-based deficiency in the system and explain why this is an issue, based on your selected security objective. [CYB-230-01] D. Recommend a method to remediate the software-based issue and protect the system. [CYB-230-01] 2 Project Three Rubric Guidelines for Submission: Your submission should be 2 to 3 pages in length (plus a cover page and any references). Use double spacing, 12-point Times New Roman font, and one-inch margins. Sources should be cited according to APA style. Use a file name that includes the course code, the assignment title, and your name—for example, CYB_100_Project_One_Neo_Anderson.docx. Critical Elements Exemplary (100%) Proficient (85%) Needs Improvement (55%) Not Evident (0%) Value Hardware-Based Deficiency [CYB-230-01] Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Identifies a hardware-based deficiency in the system and explains why this is an issue, based on the selected security objective Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 23 Remediation of Hardware-Based Issue [CYB-230-01] Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Recommends a method to remediate the hardware-based issue and protect the system Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 23 Software-Based Deficiency [CYB-230-01] Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Identifies a software-based deficiency in the system and explains why this is an issue, based on the selected security objective Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 23 Remediation of Software-Based Issue [CYB-230-01] Meets “Proficient” criteria and addresses critical element in an exceptionally clear, insightful, sophisticated, or creative manner Recommends a method to remediate the software-based issue and protect the system Addresses “Proficient” criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 23 Articulation of Response Submission is free of errors related to citations, grammar, spelling, and organization and is presented in a professional and easy-to-read format Submission has no major errors related to citations, grammar, spelling, or organization Submission has some errors related to citations, grammar, spelling, or organization that negatively impact readability and articulation of main ideas Submission has critical errors related to citations, grammar, spelling, or organization that prevent understanding of ideas 8 Total 100% CYB 230 Helios Network Diagram CYB 230 Helios Network System Security Plan Helios Network System Security Plan Prepared by the Information Technology Department, Helios Health Insurance 2 Executive Summary Helios Health Insurance is required to identify all components of the network that contains, processes, and transmits data and information to help prepare and implement a plan for the security and privacy of the data and information. The objective of network system security planning is to improve the protection of all network resources. The Helios network has some level of sensitivity and requires protection as part of best management practices. The protection of the network must be documented in a network system security plan (NSSP). The security plan is viewed as documentation of the structured process of planning adequate, cost- effective security protection for a network. It reflects direct collaboration from management responsible for the various network components and processes. The purpose of this NSSP is to provide an overview of the security of the Helios Health Insurance network and to describe the controls and critical elements in place. This NSSP follows guidance contained in NIST Special Publication (SP) 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems, February 2006. Note: The NSSP is a living document that will be updated periodically to incorporate new and/or modified security controls. The plan will be revised as the changes occur to the technical environment. 1. System Name and Identifier System Name HNSSP 2. System Categorization FIPS 199 Guide for Developing Security Plans Potential Impact Security Objective Low Impact Moderate Impact High Impact Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. [44 U.S.C., SEC. 3542] The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 3 Security Objective Low Impact Moderate Impact High Impact Integrity: Guarding against improper information modification or destruction; includes ensuring information non-repudiation and authenticity. [44 U.S.C., SEC. 3542] The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Availability: Ensuring timely and reliable access to and use of information. [44 U.S.C., SEC. 3542] The disruption of access to or use of information or an information system could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. 3. System Operational Status Operational Under Development Major Modification Server Cluster, Printing Management, End Users, System Administrators, Remote Users Security Cluster None 4. Information System Type Major Application General Support System Server Cluster, Security Cluster, Printing Management End Users, System Administrators, Remote Users 4 5. System Environment Helios Health Insurance is a standalone enterprise network that contains organized suites of hardware and software configurations. These configurations consist of managed workstations and servers protected from the internet by various network security devices. The list below illustrates the breakdown of the environment to include both hardware/software and administrative processes. Network-Wide ○ Workstations, including laptops, have a baseline image configuration that keeps the hard drives unencrypted for faster hard drive performance. ○ Open access to WIFI. ○ End user computers have full access to the internet and are not patched or updated regularly. Remote Users ○ Mobile users are local administrators on the laptops. System Administrators ○ Telnet to switches by administrators. ○ System admin network behind a firewall.