.

Christine Stagnetto
-
Zweig Consultant
is

seeking to identify and select an outside independent
organization to perform the activities listed above. The remai
nder of this document provides
additional information that will allow a service provider to understand the scope of the effort and
develop a proposal in the format desired by
the Consultant
.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
66


Table Summary of System Security Risks



Control Category

Risk
Level

Management

Operational

Technical

Total

High





Medium





Low





Total






SCOPE, APPROACH, AND METHODOLOGY

All information that is provided will be held in strict confidence. The proposal should reflect
each of the sections listed below:



External Network Vulnerability Assessment and Penetration Testing



Internal Network Vulnerability Assessment and Penetration Testing



Web Application Penetration Testing



Dial
-
In / RAS Security Testing



DMZ or Network Architecture Designs / Reviews



Wireless
Network Assessment and Penetration Testing



Virtual Infrastructure Security Assessment



Server Configuration Reviews



Firewall and Router Configuration Reviews



VPN Configuration Reviews



Voice over IP Assessments


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
67




Social Engineering Assessments



Physical Securi
ty Reviews



Software Source Code Reviews



Application Threat Modeling and Design Reviews



Information Security Policy and Procedure Development or Review



Information Security Risk Assessment



Security Awareness Program Development or Review



Incident Response

Program Development or Review



Secure SDLC Program Development or Review



PCI Quarterly Scans



PCI Report on Compliance Assessment or Gap Analysis

SCOPE OF WORK

External Network Vulnerability Assessment



Number of IP addresses in target

space:
XX




Number of

l
ive hosts
:
XX

Internal Network Vulnerability Assessment



Number of servers in target space:
XX



Number of network devices in target space:
XX



Number of workstations in target space:
XX

Server Configuration Reviews



Number and type (operating system and function) of servers to be reviewed:
XX

Firewall Reviews



Number of type of firewalls

to be reviewed:
XX



Number of rules in each firewall rule set:
XX

Web Application Assessment



Name and description of each application to be assessed:
XX



Number of user input pages for each application:
XX



Number of user roles / privilege levels for each application:
XX


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
68


Application Code Review



N慭攠慮d 摥獣sipti潮 of 敡捨⁡灰ci捡瑩c渠no 扥 慳獥獳s携




N畭扥爠of li湥s of 捯c攠e渠n桥 慰灬i捡瑩c渺n




䱡湧畡ge(猩 t桥 慰灬i捡ci潮 i猠writt敮 i渺



DELIVERABLES

Christine Stagnetto
-
Zweig Consultant
conducts this phase through policy and procedure review,
interviews and observation of key tasks. This ensures policies cover key information security
areas, industry best practices, and regulatory requirements. Subsequently,
she
will determine
whether key

control areas are operating effectively. This is achieved through evidence
inspection, observation, and inquiry.

The result of this task is a report that identifies the control objective required/recommended, the
evidence we gathered, and our recommendat
ion, if any, for improvements. Recommendations
are specific to the requirement. In addition, Christine Stagnetto
-
Zweig Consultant will provide
the Company with our full set of IT policy templates. This will help the College quickly enhance
or develop polic
ies.

REQUIREMENTS AND ASSUMPTIONS

This project assumes certain participation and limitations as described below and as otherwise
identified by the parties during the course of this engagement.


Christine Stagnetto
-
Zweig Consul
tant
:


Christine Stagnetto
-
Zweig Consultant

to perform its services;

-
party
business pa
rtners considered within scope;


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
69



Christine Stagnetto
-
Zweig
Consultant
’s project activities to assemble relevant documentation and work papers within scope.

Christine Stagnetto
-
Zweig Consultant
’s fees are subject to reimbursement of travel costs for
on
-
site services, and all rates listed herein will remain valid for 60
-
days from the date of this
Service Order.


Acceptance

This Service Order is subject to the terms and conditions of the Master
Services Agreement by
and

between Christine Stagnetto
-
Zweig Consultant and the College.

Oglala Lakota College


Christine Stagnetto
-
Zweig Consultant .

Signed:

Signed:

Name:

Name:

Title:

Title:

Date:

Date:


CONCLUSION, RECOMMENDATIONS &
SOLUTIONS

Christine Stagnetto
-
Zweig Consultant concluded that
Oglala Lakota College

needs a new robust
and restructure network infrastructure. My concern is to design a simple network topology

with
an appropriate firewall, and the Internet connection is u
nstable.

E
-
mail server needs to be strong
in viruses, needs to filter them as well phishing. Another big concern is OLC has not sufficient
personnel in IT Administration Department

neither
Security Information

Department. My

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
70


concern is with such as
campuses, OLC needs to hire more people

in IT Administration, and
create an InfoSec Department for controlling security issues, and save of paying Penetration
Testing. Another concern is the bandwidth is not enough and need to increase it.

Lack of a
sust
ainable funding source to provide increased bandwidth to end users as Pauli Consulting
stated in its report. Poor electrical supply in each campus, lack of fail over generators in each
campus. Support on cellular telephony and local telephone for transport

and /or Internet access.

Another concern is Pictel, it should be replaced by Illuminate or WebEx. The first one is working
at Pejuta Haka College campus located in Kyle, SD. It is lack of work in the rest of other 12
campuses.

Solution

The solution to th
e need is to add a Security Department
and Penetration Testing. With the
creation of a new Security Department inside of OLC it will maintain and comply the security
policies inside the institution. InfoSec Department will work with IT Networking Administr
ation
Department for complying all rules

and policies
. The importance of the creation of InfoSec
Department is imperative because it will not need to pay a penetration testing to outside
company.

Before to begin a penetration testing, is highly recommend
back up all sensitive data
from all departments
.

Risks

During
the penetration testing

should be lost information, and some damages, but both parts
must sign a contract until begin to do a penetration testing.

Costs


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
71


It should be approximately $ 225 an
hour
. Also, it should vary from $ 5,000 to $ 50,000
. It

depends on the skill of the testers, and the size of application.

It includes

meals, travel (miles),
and hotel.

ROI (Return on Investment)

Return on Investment (ROI) over
-
simplified means that if yo
u spend $100K on something, you
want to know that in a certain period of time the money you spent is going to return something to
you. You want to know how long that is going to take and what the percentage of return is. There
are financial terms that need

to be understood in order to perform an ROI calculation.



Return on Investment (ROI)

is the ratio of the net gain from a proposed project, divided
by its total costs.



Payback Period

is the time frame it takes for the project to yield a positive cumulative
cash flow



Net Present Value (NPV)

is a measure of the net benefit of a project, in todays dollar
terms



Internal Rate of Return (IRR)

is the discount rate necessary to drive the NP
V to zero; the
value another investment would need to generate in order to be equivalent to the cash
flows of the investment being considered

The usual ROI calculations are not readily applied to security initiatives, such as penetration test.
Technically
speaking, there is no return on investment for a preventative method other than to
claim that "an ounce of preven
tion is worth a pound of cure.
However, if you align the

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
72


penetration test with a compliance programme or revenue
-
generating project that require
s it, the
test can be seen as a necessary step in order to meet the goals of the wider project.

The purpose of a Pen
-
Test is to discover and expose vulnerabilities in an
organization’s

security
systems
.

Recommendation for weaknesses of the existing networ
k.

I supported the information given by Pauli Consulting, because is very important to train and
educate end users. I can observe that staff who is working or handling sensitive data are not
prepared in case of an attack. For example, I could observe that

many people who handling
sensitive data is not closing the computer when left the desk neither a strong password.

I recommend to create a Security Department who can have more control on security and work
with IT Network Administration Department.

The pe
rsonnel for this department must be
compound by a Chief Information Security Office
r
, an Information Security Analyst, and an
Access Control System Administrator.

Recommendation for threats to the existing network

I recommend to make a penetration testing

to servers
, systems,

and applications as Pauli
Consulting stated in its report. I highly recommend a penetration testing as soon as can.

We need
to hire testers for network architecture who can identify deficiencies in a large variety of network
designs,
those who are specialized in system administration such as communication protocols,
file sharing, directory services, system hardening, back up processes, and more. The last
penetration tester who specialized in application and databases who takes to creat
e applications
(programmer or manager of a programming team) and how to interact with databases.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
73


Recommendations for Picturel/Web Conferencing

According
to
Pauli Consulting, and myself as worked with this device it is a big issue. It is not
working approp
riately, and needs to be updated or replaced by another update software such as
WebEx. Elluminate has been made a proof, but it is working in Pejuta Haka campus, when it
suppose to work in all centers.

Recommendations for Migration of the Network to Distr
ibuted Technology/Cloud Computing

It has no maintenance of physical hardware. Needs to have more knowledge about Cloud
computing and must pay more attention to the network. The biggest problem is the maintenance
of the cloud servers, the creation of user a
ccounts (has no secure passwords, and no changed).
Need to train end
-
users.

Furthermore, I recommend to use FDDI
-
2 (Fiber Distribute Data
Interface) with has the standards of ANSI and ISO for data transmission on fiber optic lines in
LAN (Local Area Networ
k), and
the ranges up to 200 km (124 miles). The use of Internet2 will
bring more capabilities and unique partnership opportunities, because it can facilitate the
development and collaboration with innovation and impact on the future of the Internet.

I ha
ve
knowledge on EDUCAUSE/Internet2 Higher Education and it has a tremendous results. On the
other hand, OLC need to increase their bandwidth from time to time because :



Student numbers tend to grow, and universities increase the number of computers they
ow
n



The volume or resources on the Internet keeps growing, and tends to become ever more
bandwidth
-
hungry



New services on the Internet, such as streaming media, Teleconferencing (Pictel) is
increasing and the bandwidth


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
74




The median bandwidth for universities that offer master's programs
is

betwee
n 45 and 89
megabits per second

the

average is only 2.3 megabits per second.



The increase of bandwidth will increase speed, and needs to pay attention to all
recommendations
regarding new things.

Recommendations for hiring and creating a new department

According to Pauli Consulting, Oglala Lakota College are in need to hire more people in IT
Administration Department. In my knowledge and worked with other universities inside a
nd
outside of

United States, I recommend the
creation of an Information Security Department which
is in need to keep in save the sensitive data, and maintain the security in all departments,
including administrative staff. This department work together wit
h IT Administration
Department, and it will save a lot of money to contract personnel for doing audits and
penetration testing.

Recommendation
s

for physical security

My concern is the amount of mess of computers in the pathway of IT Administration
Departm
ent. This computers and other devices must be inventory
, classify and safe in a locked
room. If it is necessary
to have a reader card for the room is better. I highly recomme
nd to do this
physical security in all campuses.

In addition, I highly recommend
to do with labs in all
campuses, and lock with a reader card. Each lab must have a lab assistant who will control the
students who will work in there. It means, students who has IT classes has priority in using the
lab, and must demonstrate the registratio
n in IT classes and bring printed their registration for the
classes.

The purpose of the lab is to provide students with the opportunity to acquire skills
necessary to
find job in their filed. I highly recommend the use of
Netop software


is used in

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
75


highe
r education for managing classrooms, labs. It can improve the understanding of the course
instead student is chatting in Facebook. Also, you can control the class as a remote control. For
further information you can go to:
http://www.netop.com/products/education.htm

Furthermore, students in all campuses must have a password for using computers in campus or
their own laptops, without a password given by the Information Security Department cannot use

the computer

in campus. Likewise,
Library Department students must have their password and
ID for using computers in the department.
Computers must be for use exclusively by the students
who pays their classes, no from outsiders or common people who are n
ot registered in classes at
OLC centers.


Recommendations for implementing a strong, robust and resilient network infrastructure

I highly recommend to use the services of Cisco who provides a
strong architecture and a robust
wireless infrastructure.

Cisco is
an
expert working with higher education. Cisco has a vast
experience in the learning environment with digital media, and video solutions such as
TelePresence conferencing. It improves the ROI, cost control, and expenditure management.


Redesigni
ng network infrastructure with a strong security is highly recommended.


OLC has a
weak authentication, and passwords
. The need of an intelligent infrastructure for protecting
assets is important. It is not sufficient the firewalls, antivirus. OLC must imp
lement new security
policies, and solve incompatibilities creating adequate security net.

OLC must provide a robust
security across all campuses, and established prevention methods, monitoring the network and
prioritizing immediate changes over security
-
th
reats. Network security
must maintain a balance
between individual customization and privileges. The most pitfalls that OLC has is the disastrous
traffic in the network and must implement an intelligent infrastructure that facilitate platforms,

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
76


protocols,
security credentials, and devices. Given the complexity of security threats, and attack
is a likely to come from inside the network, via an e
-
mail attachment or a remote device, as it is
to come from outside. The infrastructure must be reliable across any
desired form of
authentication.

OLC must protect assets, users, networks, applications, transactions, and
minimize security risks.
















Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
77


D.

Appendixes

Security Policies according to SANS Institute


Password Policy

1.0

Overview

Passwords are an
important aspect of computer security. They are the front line of
protection for user accounts. A poorly chosen password may result in the compromise of
Oglala Lakota College’s entire corporate network. As such, all Oglala Lakota College
employees (includi
ng contractors and others with access to Oglala Lakota College
systems) are responsible for taking the appropriate steps, as outlined below, to select and
secure their passwords.

2.0

Purpose

The purpose of this policy is to establish a standard for creation of

strong passwords, the
protection of those passwords, and the frequency of change.

3.0

Scope

The scope of this policy includes all personnel who have or are responsible for an
account (or any form of access that supports or requires a password) on any system t
hat
resides at any Oglala Lakota College facility, has access to the Oglala Lakota College
network, or stores any non
-
public Oglala Lakota College information.

4.0

Policy

4.1

General


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
78




All system
-
level passwords (e.g., root, enable, NT admin, application
administrat
ion accounts, etc.) must be changed on at least a quarterly
basis.



All production system
-
level passwords must be part of the InfoSec
administered global password management database.



All user
-
level passwords (e.g., e
-
mail, web, desktop computer, etc.)
must

be changed at least every six months. The recommended change
interval is every four months.



User accounts that have system
-
level privileges granted through group
memberships or programs such as “sudo” must have a unique
password from all other accounts

he
ld by that user.



Passwords must not be inserted into e
-
mail messages or other forms of
electronic communication.



Where SNMP is used, the community strings must be defined as
something other than the standard defaults of “public,” “private” and
“system” and

must be different from the passwords used to log in
interactively. A keyed hash must be used where available (e.g.,
SNMPv2).



All user
-
level and system
-
level passwords must conform to the
guidelines described below.

4.2 Guidelines

A. General Password
Construction Guidelines


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
79


Passwords are used for various purposes at Oglala Lakota College
. Some of the
more common uses include: user level accounts, web accounts, e
-
mail accounts,
screen saver protection, voicemail password, and local router logins. Since
very
few systems have supported for one
-
time tokens (i.e., dynamic passwords which
are only used once), everyone should be aware of how to select strong passwords.

Poor, weak passwords have the following characteristics:



The password contains less than eig
ht characters



The password is a word found in a dictionary (English or foreign)



The password is common usage word such as:

o

Names of family, pets, friends, co
-
workers, fantasy characters, etc.

o

Computer terms and names, commands, sites, companies,
hardware
,

software

o

The words “Oglala Lakota College,” “sanjose,” “sanfran” or any
derivation.

o

Birthdays and other personal information such as addresses and
phone numbers.

o

Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321,
etc.

o

Any of the above spelled
backwards

o

Any of the above preceded or followed by a digit (e.g., secret1,
1secret).

Strong passwords have the following characteristics:


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
80




Contain both upper and lower case characters (e.g., a
-
z, A
-
Z)



Have digits and punctuation characters as well as letter
s e.g., 0
-
9,
!@#$%^&*()_+|~
-
=
\
’{}[]:”;’<>?,./)



Are at least eight alphanumeric characters long



Are not a word in any language, slang, dialect, jargon, etc.



Are not based on personal information,
names of family, etc.



Passwords should never be written down or stored on
-
line. Try to create
passwords that can be easily remembered. One way to do this is create a password
based on a song title, affirmation, or other phrase. For example, the phrase migh
t
be: “This May Be One Way To Remember” and the password could be:
“TmB1w2R!” or
“Tmb1W>r~” or some variation.

NOTE:

Do not use either of these examples as passwords!


E.

Password Protection Standards

Do not use the same password for Oglala Lakota College acc
ounts as for other non
-
Oglala
Lakota College access (e.g., personal ISP account, option trading, benefits, etc.). where
possible, don’t use the same password for various Oglala Lakota College access needs. For
example, select one password for the Engineer
ing systems

and separate password for IT
systems. Also, select a separate password to be used for an NT account and a UNIX account.

Do not share Oglala Lakota College passwords with anyone, including administrative
assistants or secretaries. All passwords
are to be treated as sensitive, Confidential Oglala
Lakota College information.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
81


Here is a list of “don
t’s”:



Don’t reveal a password over the phone to ANYONE



Don’t reveal a password in an e
-
mail message



Don’t reveal a password to the boss



Don’t talk about a

password in front of others



Don’t hint at the format of a password (e.g., “my family name”)



Don’t reveal a password on questionnaires or security forms



Don’t share a password with family members



Don’t reveal a password to co
-
workers while on vacation

If s
omeone demands a password, refer them to this document or have them call someone in the
Information Security Department.

Do not use the “Remember Password” feature of applications (e.g., Eudora, OutLook, Netscape
Messenger).

Again, do not write passwords
down and store them anywhere in your office. Do not store
passwords in a file on ANY computer system (including Palm Pilots or similar devices) without
encryption.

Change passwords at least once every six months (except system
-
level passwords which must be

changed quarterly). The recommended change interval is every four months
.

If an account or password is suspected to have been compromised, report the incident to InfoSec
and change all passwords.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
82


Password cracking or guessing may be performed on a periodi
c or random basis by InfoSec or its
delegates. If a password is guessed or cracked during one of these scans, the user will be required
to change it.

F.

Application Development Standards

Application developers must ensure their programs contain the following
security
precautions. Applications:



Should support authentication of individual users, not groups



Should not store passwords in clear text or in any easily reversible form



Should provide for some sort of role management, such that one user can take over
th
e functions of another without having to know the other’s password.



Should support TACACS+, RADIUS and /or X.509 with LDAP security retrieval,
wherever possible.

G.

Use of Passwords and Passphrases for Remote Access Users

Access to the Oglala Lakota College N
etworks via remote access is to be controlled using
either a one
-
time password authentication or a public/private key system with a strong
passphrase.

H.

Passphrases

Passphrases are generally used for public/private key authentication. A public/private key
sy
stems defines a mathematical relationship between the public key that is known by all, and
the private key, that is known only to the user. Without the passphrase to “unlock” the private
key, the user cannot gain access.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
83


Passphrases are not the same as pas
swords. A passphrase is a longer version of a password
and is, therefore, more secure. A passphrase is typically composed of multiple words.
Because of this, a passphrase is more secure against “dictionary attacks.”

A good passphrase is relatively long and

contains a combination of upper and lowercase
letters and numeric and punctuation characters. An example of a good passphrase:

“The*?#>*@TrafficOnThe101Was*&#!#ThisMorning”

All of the rules above that apply to passwords apply to passphrases.

5.0


Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up
to and
including termination of employ
m
ent.

6.0

Definitions

Terms Definitions

Application Administration Account

Any account that is for the administration of an
application (e.g., Oracle database administrator, ISSU administrator).



7.0

Revision History






Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
84


Acceptable Encryption Policy

1.0

Purpose

The purpose of
this policy is to provide guidance that limits the use of encryption to those
algorithms that have received substantial public review and have been proven to work
effectively. Additionally, this policy provides direction to ensure that Federal regulations
are
followed, and legal authority is granted for the dissemination and use of encryption technologies
outside of the United States.

2.0

Scope

This policy applies to all Oglala Lakota College employees and affiliates.

3.0

Policy

Proven, standard algorithms such as
DES, Blowfish, RSA, RC5 and IDEA should be used as the
basis for encryption technologies. These algorithms represent the actual cipher used for an
approved application. For example, Network Associate’s Pretty Good Privacy (PGP) uses a
combination of IDEA a
nd RSA or Diffie
-
Hillman, while Secure Socket Layer (SSL) uses RSA
encryption. Symmetric cryptosystem key lengths must be at least 56 bits.

Asymmetric crypto
-
system keys must be of a length that yields equivalent strength. Oglala Lakota College’s key
lengt
h requirements will be reviewed annually and upgraded as technology

allows.

4.0

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.

5.0

Definitions


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
85


Term

Definition

Proprietary Encryption


An algorithm that has not been made public and/or has not
withstood public scrutiny. The developer of the algorithm could be a vendor, and individual, or
the government.

Symmetric Cryptosystem

A method of encryption in which the same key is used for both
encryption and decryption of the data.

Asymmetric Cryptosystem A method of encryption in which two different keys are used: one
for encrypting and one for decrypting the data (e.g., publ
ic
-
key encryption).

6.0

Revision History















Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
86


Server Security Policy

1.0

Purpose

The purpose of this policy is to establish standards for the base configuration of internal server
equipment that is owned and/or operated by Oglala Lakota College. Effective

implementation of
this policy will minimize unauthorized access to Oglala Lakota College proprietary information
and technology.

2.0

Scope

This policy applies to server equipment owned and/or operated by Oglala Lakota
College, and to servers registered under

any Oglala Lakota College owned internal
network domain.

This policy is specifically for equipment on the internal Oglala Lakota College network.
For secure configuration of equipment external to Oglala Lakota College on the DMZ,
refer to the
Internet DMZ

Equipment Policy.

3.0

Policy

3.1

Ownership and Responsibilities

All internal server deployed at Oglala Lakota College must be owned by an
operational group that is responsible for system administration. Approved server
configuration guides must be established and maintained by each operational
group, based on business
needs and approved by InfoSec. Operational groups
should monitor configuration compliance and implement an exception policy
tailored to their environment. Each operational group must establish a process for

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
87


changing the configuration guides, which includes

review and approval by
InfoSec.



Servers must be registered within the corporate enterprise management
system. At a minimum, the following information is required to positively
identify the point of contact:



Server contact (s) and location, and a backup co
ntact



Hardware and Operating System/Version



Main functions and applications, if applicable



Information in the corporate enterprise management system must be kept
up
-
to
-
date
.



Configuration changes for production servers must follow the appropriate
change ma
nagement procedures

3.2

General Configuration Guidelines



Operating System configuration should be in accordance with
approved InfoSec guidelines.



Services and applications that will not be used must be disabled where
practical.



Access to services should be
logged and/or protected through access
-
control methods such as TCP Wrappers, if possible



The most recent security patches must be installed on the system as
soon as practical, the only exception being when immediate
application would interfere with busines
s requirements.



Trust relationship when some other method of communication will do.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
88




Do not use root when a non
-
privileged account will do.



If a methodology for secure channel connection is available (i.e.,
technically feasible), privileged access must be p
erformed over secure
channels, (e.g., encrypted network connections using SSH or IPSec).



Servers should be physically located in an access
-
controlled
environment.



Servers are specifically prohibited from operating from uncontrolled
cubicle areas.

3.3

Monitoring



All security
-
related events on critical or sensitive systems must be logged
and audit trails saved as follows:

o

All security related logs will be kept online for a minimum of 1 week.

o

Daily incremental tape backups will be retained for at least 1
mo
nth.

o

Weekly full tape backups of logs will be retained for at least 1 month.

o

Monthly full backups will be retained for a minimum of 2 years.



Security
-
related events

will be reported to InfoSec, who will review logs and
report incidents to IT management.
Corrective measures will be prescribed
as needed. Security
-
related events include, but not limited to:

o

Port
-
scan attacks

o

Evidence of unauthorized access to privileged accounts

o

Anomalous occurrences that are not related to specific applications
on the host.

3.4

Compliance


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
89




Audits will be performed on a regular basis by authorized organizations
within Oglala Lakota College



Audits will be managed by the internal audit group or InfoSec, in accordance
with the
Audit Policy.
InfoSec will filter findings not related to

a specific
operational group and then present the findings to the appropriate support
staff for remediation or justification.

4.0

Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and
including
termination of employment.

5.0

Definitions

Term Definition

DMZ De
-
militariezed Zone. A network segment external to the corporate
production network.

Server
For purposes of this policy, a Server is defined as an internal Oglala
Lakota College Server. Desktop machines and Lab equipment are not relevant to the scope of
this policy.

6.0

Revision History






Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
90


Information Sensitive Policy

1.0

Purpose

The Information
Sensitive Policy is intended to help employees determine what information can
be disclosed to non
-
employees, as well as the relative sensitive of information that should not be
disclosed outside of Oglala Lakota College without proper authorization.

The in
formation covered in these guidelines includes, but is not limited to , information that is
either stored or shared via any means. This includes: electronic information, information on
paper, and information shared orally or visually (such as telephone and

video conferencing).

All employees should familiarize themselves with the information labeling and handling
guidelines that follow this introduction. It should be noted that the sensitivity level definitions
were created as guidelines and to emphasize com
mon sense steps that you can take to protect
Oglala Lakota College Confidential information (e.g., Oglala Lakota College Confidential
information should not be left unattended in conference rooms).

Please Note: The impact of these guidelines on daily activ
ity should be minimal.

Questions about the proper classification of a specific piece of information should be addressed
to your manager. Questions about these guidelines should be addressed to InfoSec.

2.0

Scope

All Oglala Lakota College information is
categorized into two main classifications:



Oglala Lakota College Public



Oglala Lakota College Confidential


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
91


Oglala Lakota College Public information is information that has been declared public
knowledge by someone with the authority to do so, and can freel
y be given to anyone without
any possible damage to Oglala Lakota College Systems, Inc.

Oglala Lakota College Confidential contains all other information. It is a continuum, in that it is
understood that some information is more sensitive than other infor
mation, and should be
protected in a more secure manner. Included is information that should be protected very closely,
such as trade secrets, development programs, potential acquisition targets, and other information
integral to the success of our institu
tion. Also, included in Oglala Lakota College Confidential is
information that is less critical, such as telephone directories, general corporate information,
personnel information, etc., which does not require as stringent a degree of protection.

A subset

of Oglala Lakota College Confidential information is “Oglala Lakota College Third
Party Confidential”

information. This is confidential information belonging or pertaining to
another corporation which has been entrusted to Oglala Lakota College by that co
mpany under
non
-
disclosure agreements and other contracts.

Examples of this type of information include everything from joint development efforts to
vendor lists, customer orders, and supplier information. Information in this category ranges from
extremely

sensitive to information about the fact that we’ve connected a supplier/vendor into
Oglala Lakota College’s network to support our operations.

Oglala Lakota College personnel are encouraged to use common sense judgment in securing
Oglala Lakota College Co
nfidential information to the proper extent. If an employee is uncertain
of the sensitive of a particular piece of information, he/she should contact their manager.



Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
92


3.0


Policy

The Sensitive Guidelines below provides details on how to protect information at
varying
sensitive levels. Use these guidelines as a reference only, as Oglala Lakota College Confidential
information in each column may necessitate more or less stringent measures of protection
depending upon the circumstances and the nature of the Oglala

Lakota College Confidential
information in question.

3.1

Minimal Sensitivity
: General corporate information; some personnel and
technical information

Marking guidelines for information in hardcopy or electronic form.

Note: any of these marking may be used wi
th the additional annotation of “3
rd
. Party
Confidential”

Marking is at the discretion of the owner or custodian of the information. If marking is desired,
the words “ Oglala Lakota College Confidential” must be written or designated in a conspicuous
place

on or in the information in question. Other labels that may be used include “Oglala Lakota
College Proprietary” or similar labels at the discretion of your individual business unit or
department. Even if no marking is present, Oglala Lakota College inform
ation is presumed to be
“Oglala Lakota College Confidential” unless expressly determined to be Oglala Lakota College
Public information by a Oglala Lakota College employee with authority to do so.

Access:
Oglala Lakota College employees, contractors, peopl
e with a business need to know.

Distribution within Oglala Lakota College:
Standard interoffice mail, approved electronic
mail and electronic file transmission methods.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
93


Distribution outside of Oglala Lakota College internal mail:
U.S. mail and other public or
private carriers, approved electronic mail and electronic file transmission methods.

Electronic distribution:
No restrictions except that it be sent to only approved recipients.

Storage:
Keep from view of unauthorized people;
erase whiteboards, do not leave in view on
tabletop. Machines should be administrated with security in mind. Protect from loss; electronic
\
]

information should have indivi
dual access controls where possible and appropriate.

Disposal/Destruction:
Deposit o
utdated paper information in specially marked disposal bins on
Oglala Lakota College premises; electronic data should be expunged/cleared. Reliably erase or
physically destroy media.

Penalty for deliberate or inadvertent disclosure:
Up to and including ter
mination, possible
civil and/or criminal prosecution to the full extent of the law.

3.2

More Sensitive
: Business, financial, technical
, and most personnel
information.


Marking guidelines for information in hardcopy or electronic form.

Note: any of these
markings may be used with the additional annotation of “3
rd

Party
Confidential.” As the sensitive level of the information increases, you may, in addition or instead
of marking the information “Oglala Lakota College Confidential” or “Oglala Lakota College
Proprietary,” wish to label the information “Oglala Lakota College Internal Use Only” or other
similar labels at the discretion of your individual business unit or department to denote a more
sensitive level of information. However, marking is discretionar
y at all times.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
94


Access:
Oglala Lakota College employees and non
-
employees with signed non
-
disclosure
agreements who have a business need to know.

Distribution within Oglala Lakota College:
Standard interoffice mail, approved electronic
mail and electronic
file transmission methods.

Distribution outside of Oglala Lakota College internal mail:
Sent via U.S. mail or approved
private carriers.

Electronic distribution:

No restrictions to approved recipients within Oglala Lakota College,
but should be encrypted
or sent via a private link to approved recipients outside of Oglala Lakota
College premises.

Storage:
Individual access controls are highly recommended for electronic information.

Disposal/Destruction:
In specially marked disposal bins on Oglala Lakota Col
lege premises;
electronic data should be expunged/cleared. Reliably erase or physically destroy media.

Penalty for deliberate or inadvertent disclosure:
Up to and including termination, possible
civil and/or criminal prosecution to the full extent of the
law.

3.3

Most Sensitive:

Trade secrets & marketing, operational, personnel, financial,
source code, & technical information integral to the success of our institution.

Marking guidelines for information in hardcopy or electronic form.

Note: any of these marki
ngs may be used with the additional annotation of
“3
rd

Party Confidential.” To indicate that Oglala Lakota College Confidential
information is very sensitive, you may should label the information “Oglala
Lakota College Internal: Registered and Restricted,”

“Oglala Lakota College

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
95


Eyes Only,” “Oglala Lakota College Confidential” or similar labels as the
discretion of your individual business unit or department. Once again, this
type of Oglala Lakota College Confidential information need not be marked,
but use
rs should be aware that this information is very sensitive and be
protected as such.

Access:

Only those individuals (
Oglala Lakota College employees and non
-
employees
)
designed with approved access and signed non
-
disclosure agreements
.

Distribution within Oglala Lakota College:
Delivered direct


signature required, envelopes
stamped confidential, or approved electronic file transmission methods.

Distribution outside of Oglala Lakota College internal mail:
Delivered direct; signature
re
quired; approved private carriers.

Electronic distribution:

No restrictions to approved recipients within Oglala Lakota College,
but
it is highly recommended that all information be strongly encrypted.

Storage:
Individual access controls are

very

highly r
ecommended for electronic information.

Physical security is generally used, and information should be stored in a physically secured
computer.

Disposal/Destruction:
Strongly Encouraged: In specially marked disposal bins on Oglala Lakota
College premises; e
lectronic data should be expunged/cleared. Reliably erase or physically

destroy media.

Penalty for deliberate or inadvertent disclosure:
Up to and including termination, possible
civil and/or criminal prosecution to the full extent of the law.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
96


4.0

Enforcement

Any employee found to have violate this policy may be subject to disciplinary action, up to and
including termination of employment.

5.0

Definitions

Terms and Definitions

Appropriate measures

To minimize risk to Oglala Lakota College from an outside business

connection. Oglala Lakota
College computer use by competitors and unauthorized personnel must be restricted so that, in
the event of an attempt to access Oglala Lakota College institution information, the amount of
information at risk is minimized.

Configuration of Oglala Lakota College to other institution connections

Connections shall be set up to allow other businesses to see only what they need to see. This
involves setting up both applications and network configurations to allow access to only w
hat is
necessary.

Delivered Direct; Signature Required

Do not leave in interoffice mail slot, call the mail room for special pick
-
up of mail.

Approved Electronic File Transmission Methods

Includes supported FTP clients and Web browsers.



Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
97


Envelopes Stamped
Confidential

You are not required to use a special envelop. Put your document (s) into an interoffice envelope,
seal it, address it, and stamp it confidential.

Approved Electronic Mail

Includes all mail systems supported by the IT Support Team. These inclu
de, but are not
necessarily limited to, [Oglala Lakota College supported mailers. If you have a business need to
use other mailers contact the appropriate support organization.

Approved Encrypted e
-
mail and files

Techniques include the use of DES and PGP.
DES encryption is available via many different
public domain packages on all platforms. PGP use within Oglala Lakota College is done via a
license. Please contact the appropriate support organization if you require a license.

Company Information System
Resources

Company Information System Resources include, but are not limited to, all computers, their data
and programs, as well as all paper information and any information at the Internal Use Only level
and above.

Expunge

To reliably erase or expunge dat
a on a PC or Mac you must use a separate program to overwrite
data, supplied as a part of Norton Utilities. Otherwise, the PC or Mac’s normal erasure routine
keeps the data intact until overwritten. The same thing happens on UNIX machines, but data is
much

more difficult to retrieve on UNIX systems.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
98


Individual Access Controls

Individual Access Controls are methods of electronically protecting files from being accessed
by people other than those specifically designated by the owner. On UNIX machines, this is

accomplished by careful use of the chmod command (use
man chmod
to find out more about it)
.
On Mac’s and PC’s this includes using passwords on screensavers, such as Disklock.

Insecure Internal Links

Insecure Internal Links are all network links that
originate from a locale or travel over lines that
are not totally under the control of Oglala Lakota College.

Encryption

Secure Oglala Lakota College Sensitive information in accordance with the
Acceptable
Encryption Policy.
International issues regarding
encryption are complex. Follow corporate or
institution guidelines on export controls on cryptography, and consult your manager and/or
corporate legal services for further guidance.

One Time Password Authentication

One Time Password Authentication on Inter
net connections is accomplished by using a one
time password token to connect to Oglala Lakota College’s internal network over the Internet.
Contact your support organization for more information on how to set this up.

Physical Security

Physical security m
eans either having actual possession of a computer at all times, or locking the
computer in an unusable state to an object that is immovable. Methods of accomplishing this

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
99


include having a special key to unlock the computer so it can be used, thereby ensur
ing that the
computer cannot be simply rebooted to get around the protection. If it is a laptop or other
portable computer, never leave it alone in a conference room, hotel room or on an airplane seat,
etc. Make arrangements to lock the device in a hotel s
afe, or take it with you. In the office,
always use a lockdown cable. When leaving the office for the day, secure the laptop and any
other sensitive material in a locked drawer or cabinet.

Private Link

A Private Link is an electronic communications path that Oglala Lakota College has control over
it’s entire distance. For example, all Oglala Lakota College networks are connected via private
link. A computer with
modem connected via a standard land line (
not cell phone) to another
computer have established a private link. ISDN lines to employee’s homes is a private line.
Oglala Lakota College also has established private links to other companies or institutions, so
that all mail correspondence can be sent
in a more secure manner. Companies with Oglala
Lakota College has established private links include all announced acquisition and some short
-
term temporary links.

6.0


Revision History.








Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
100


Guidelines on Anti
-
Virus Process

Recommended processes to prevent vi
rus problems:



Always run the Corporate standard, supported anti
-
virus software is available
from the corporate download site. Download and run the current version;
download and install anti
-
virus software updates as they become available.



NEVER open any
files or macros attached to an e
-
mail from an unknown,
suspicious or untrustworthy source. Delete these attachments immediately, then
“double delete” them by emptying your Trash.



Delete spam, chain, and other junk e
-
mail without forwarding, in with Oglala
Lakota College’s
Acceptable Use Policy.



Never download files from unknown or suspicious sources



Avoid direct disk sharing with read/write access unless there is absolutely a
business requirement to do so.



Always scan a

computer, DVD’s, CD’s, USB drives from an unknown source for
viruses before using it



Back up critical data and system configurations on a regular basis and store the
data in a safe place



If lab testing conflict with anti
-
virus software, run the anti
-
virus

utility to ensure a
clean machine, disable the software, then run the lab test. After the lab test, enable
the anti
-
virus software. When the anti
-
virus software is disabled, do not run any
applications that could transfer a virus, e.g., e
-
mail or file sha
ring.



New viruses are discovered almost every day. Periodically check the
Lab Anti
-
Virus Policy and
this Recommended Processes list for updates.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
101


Wireless Security Policy

1.0

Purpose

This policy prohibits access to Oglala Lakota College networks via unsecured w
ireless
communication mechanisms. Only wireless systems that meet the criteria of this policy or
have been granted an exclusive waiver by InfoSec are approved for connectivity to
Oglala Lakota College’s networks.

2.0

Scope

This policy cover all wireless data
communication devices (e.g., personal computers,
cellular phones, PDAs, etc.) connected to any of Oglala Lakota College’s internal
networks. This includes any form of wireless communication device capable of
transmitting packet data. Wireless devices and/o
r networks without any connectivity to
Oglala Lakota College’s networks do not fall under the purview of this policy.

3.0

Policy

To comply with this policy, wireless implementation must: Maintain point to point
hardware encryption of at least 56 bits. Maintain

a hardware address that can be
registered and tracked, i.e., a MAC address. Support strong user authentication which
checks against an external database such as TACACS+, RADIUS or something similar.

EXCEPTION: A limited
-
duration waiver to this policy for
Cisco
A
ironet products has
been approved, if specific implementation instructions are followed for corporate and
home installations.

4.0

Enforcement


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
102


Any employee found to have violated this policy may be subject to disciplinary action, up
to and including ter
mination of employment.

5.0

Definitions

Terms Definitions

User Authentication A method by which the user of a wireless system can be
verified as a legitimate user independent of the computer or operating

system being used.

6.0

Revision History

















Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
103


Risk Assessment Policy

1.0

Purpose

To empower InfoSec to perform periodic information security risk assessments (RAs) for
the purpose of determining areas of vulnerability, and to initiate appropriate
remediation.

2.0

Scope

Risk assessments can be conducted on any entry within Oglala Lakota College or any
outside entity that has signed a
Third Party Agreement
with Oglala Lakota College. RAs
can be conducted on any information system, to include
applications, servers, and
networks, and any process or procedure by which these systems are administrated and/or
maintained.

3.0

Policy

The execution, development and implementation of remediation programs is the joint
responsibility of InfoSec and the depart
ment responsible for the systems area being
assessed. Employees are expected to cooperate fully with any RA being conducted on
systems for which they are held accountable. Employees are further expected to work
with the InfoSec Risk Assessment Team in the
development of a remediation plan.

4.0

Risk Assessment Process

For additional information, go to the Risk Assessment Process

5.0

Enforcement


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
104


Any employee found to have violated this may be subject to disciplinary action, up to and
including termination of
employment.

6.0

Definitions

Terms Definition

Entity Any business unit, department group, or third party,
internal or external to Oglala Lakota College, responsible for m
aintaining Oglala Lakota
College assets.

Risk Those factors that could affect confidentiality,
availability, and integrity of Oglala Lakota College’s key information assets and systems.
InfoSec is responsib
le for ensuring the integrity, confidentiality, and availability of
critical information and computing assets, while minimizing the impact of security
procedures and policies upon business productivity.

7.0

Revision History











Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
105


Analog/ISDN Line Security
Policy

1.0

Purpose

This document explains Oglala Lakota College analog and ISDN line acceptable use and
approval policies and procedures. This policy covers two distinct uses of analog/ISDN
lines: lines that are to be connected for the sole purpose of fax send
ing and receiving, and
lines that are to be connected to computers.

2.0

Scope

This policy covers
only those lines that are to be connected to a point inside Oglala
Lakota College building and testing sites. It does not pertain to ISDN/phone lines that are
conn
ected into employee homes, PBX desktop phones, and those lines used by XXX for
emergency and non
-
corporate information purposes.

3.0

Policy

3.1

Scenarios & Business Impact

There are two important scenarios that involve analog line misuse, which we
attempt to guard

against through this policy. The first is an outside attacker who
calls a set of analog line numbers in the hope of connecting to a computer that has
a modem attached to it. If the modem answers (and most computers today are
configured out
-
of
-
the
-
box to a
uto
-
answer) from inside Oglala Lakota College

premises, then there is the possibility of breaching Oglala Lakota College’s
internal network through that computer, unmonitored. At the very least,
information that is held on that computer alone can be compro
mised. This

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
106


potentially results in the loss of millions of dollars worth of corporate
information.

The second scenario is the threat of anyone with physical access into a Oglala
Lakota College facility being able to use a modem
-
equipped laptop or desktop
c
omputer. In this case, the intruder would be able to connect to the trusted
networking of Oglala Lakota College through the computer’s Ethernet
connection, and then call out to an unmonitored site using the modem, with the
ability to siphon Oglala Lakota C
ollege information to an unknown location. This
could also potentially result in the substantial loss of vital information.

Specific procedures for addressing the security risks inherent in each of these
scenarios follow.

3.2

Facsimile Machines

As a rule, the
following applies to requests for fax and analog lines:



Fax lines are to be approved for departmental use only



No fax lines will be installed for personal use



No analog lines will be placed in a personal cubicle



The fax machine must be placed in a centrali
zed administrative area
designed for departmental.



A computer which is capable of making fax connection is not to be
allowed to use an analog line for this purpose.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
107


Waivers for the above policy on analog
-
as
-
fax lines will be delivered on a case
-
by
-
case bas
is after reviewing the business need with respect to the level of sensitivity
and security posture of the request.

Use of an analog/ISDN fax line is conditional upon the requester’s full compliance
with the requirements listed below. These requirements are

the responsibility of the
authorized user to enforce at all times:



The fax line is used solely as specified in the request



Only persons authorized to use the line have access to it



When not in use, the line is to be physically disconnected from the
comput
er



When in use, the computer is to be physically disconnected from Oglala
Lakota College’s internal network.



The line will be used solely for Oglala Lakota College business, and not
for personal reasons.



All downloaded material, prior to being introduced i
nto Oglala Lakota
College systems and networks, must have been scanned by an approved
anti
-
virus utility which has been kept current through regular updates.

3.3

Computer
-
to
-
Analog Line Connections

The general policy is that requests for computers or other in
telligent devices to be
connected with analog or ISDN lines from within Oglala Lakota College will not
be approved for security reasons. Analog and ISDN lines represent a significant
security threat to Oglala Lakota College, and active penetrations have be
en

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
108


launched against such lines by hackers. Waivers to the policy above will be
granted on a case by case basis.

They will also be considered on a case by case basis.

3.4

Requesting an Analog/ISDN Line

Once approved by a manager, the individual requesting an an
alog/ISDN line
provide the following information to XXX (company connected):



A clearly detailed business case

of why other secure connections available
at Oglala Lakota College cannot be used



The business purpose for which the analog lines is to be used



The software and hardware to be connected to the line and used across the
line



And to what external connections the requester is seeking access

The business case must answer, at a minimum, the following questions:



What business needs to be conducted over t
he line?



Why is a Oglala Lakota College equipped desktop computer with
Internet capability unable to accomplish the same tasks as the
proposed analog line?



Why is Oglala Lakota College’s current dial
-
out access pool unable to
accomplish the same task as an

analog line?

In addition, the requester must be prepared to answer the following supplemental questions
related to the security profile of the request.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
109




Will the machines that are using the analog lines be physically disconnected from
Oglala Lakota College
’s internal network?



Where will the analog line be place? A cubicle or lab?



Is dial
-
in from outside of Oglala Lakota College needed?



How many lines are being requested, and how many people will use the line?



How often will the line be used? Once a week, 2
hours per day…?



What is the earliest date the line can be terminated from service?



The line must be terminated as soon as it is no longer in use.



What other means will be used to secure the line from unauthorized use?



Is this a replacement line from an old

location? What was the purpose of the
original line?



What types of protocols will be run over the line?



Will a Oglala Lakota College authorized anti
-
virus scanner be installed on the
machine (s) using the analog lines?



The requester should use the Analog/
ISDN Line Request Form to address these
issues and submit a request.

4.0

Enforcement

Any employee

found to have violated this policy may be subject to disciplinary action, up
to an including termination of employment.

5.0

Revision History




Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
110


Audit Security Policy

1.0

Purpose

To provide the authority for members of Oglala Lakota College’s InfoSec team to
conduct a security audit on any system at Oglala Lakota College.

Audits may be conducted:



Ensure integrity, confidentiality and availability of information and resource
s



Investigate possible security incidents ensure conformance to Oglala Lakota
College security policies



Monitory user or system activity where appropriate

2.0

Scope

This policy covers all computer and communication devices owned or operated by Oglala
Lakota Co
llege. This policy also covers any computer and communication device that are
presented on Oglala Lakota College premises, but which may not be owned or operated
by Oglala Lakota College.

3.0

Policy

When requested, and for the purpose of performing an audit, a
ny access needed will be
provided to members of Oglala Lakota College’s InfoSec team.

This access may include:



User level and/or system level access to any computing or communications
device


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
111




Access to information (electronic, hardcopy, etc.) that may be pr
oduced,
transmitted or stored on Oglala Lakota College equipment or premises



Access to work areas (labs, offices, cubicles, storage areas, etc.)



Access to interactively monitor and log traffic on Oglala Lakota College
networks.

4.0

Enforcement

Any employee
found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.

5.0

Revision history
















Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
112


Wireless Communication Policy

Overview

The purpose of this policy is to secure and protect the information assets owned by Oglala
Lakota College. Oglala Lakota College provides computer devices, networks, and other
electronic information systems to meet missions, goals, and initiatives. Oglala
Lakota College
grants access to these resources as a privilege and must manage them responsibly to maintain the
confidentiality, integrity, and availability of all information assets.


This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to
Oglala Lakota College network. Only
those

wireless infrastructure devices that meet the
standards
specified in

this policy or are granted an exception by
the Information Security
Department are approved for connectivity to a Oglala Lakota College network.

Scope

All employees, contractors, consultants, temporary and other workers at Oglala Lakota College,
including all personnel affiliated with third partie
s that maintain a wireless infrastructure device
on behalf of Oglala Lakota College must adhere to this policy. This policy applies to all
wireless
infrastructure devices that connect to a Oglala Lakota College network or reside on a Oglala
Lakota College
site that provide wireless connectivity to endpoint devices including, but not
limited to, laptops, desktops, cellular phones, and personal digital assistants (PDAs). This
includes any form of wireless communication device capable of transmitting packet da
ta.

The Information Security Department must approve exceptions to this policy in advance.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
113


Policy Statement

General Network Access Requirements

All wireless infrastructure devices that
reside at a
Oglala Lakota College

site and

connect to a
Oglala Lakota
College

network, or provide access to information classified as
Oglala Lakota
College

Confidential,
Oglala Lakota College

Highly Confidential, or
Oglala Lakota College

Restricted must:

Abide by the standards specified in the
Wireless Communication Standard
.

Be installed, supported, and maintained by a approved support team.

Use
Oglala Lakota College

approved authentication protocols and i
nfrastructure.

Use
Oglala Lakota College

approved encryption protocols.

Maintain a hardware address (MAC address) that can be registered and tracked.

Not interfere with wireless access deployments maintained by other support organizations
.

Lab and Isolat
ed Wireless Device Requirements

All lab wireless infrastructure devices that provide access to
Oglala Lakota College

Confidential,
Oglala Lakota College

Highly Confidential, or
Oglala Lakota College

Restricted information
must adhere to section
0
. Lab and isolated wireless devices that do not provide general network
connectivity to the
Oglala Lakota College

network must:


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
114


Be isolated from the corporate network (that is it must not pr
ovide any corporate connectivity)
and comply with the
DMZ Lab Security Policy

or the
Internal Lab Security Policy
.

Not interfere with wireless access deployments maintained by other support organizations
.

Home Wireless Device Requirements

Wireless infrastructure devices that provide direct access to the
Oglala Lakota College

corporate
network, must conform to the Home Wireless Device Requirements as detailed in the Wireless
Communication Standard.

Wireless infrastructure devices that fail to conform to the Home Wireless Device Requirements
must be installed in a manner that
prohibits direct access to the
Oglala Lakota College

corporate
network. Access to the
Oglala Lakota College

corporate network through this device must use
standard remote access authentication.

Enforcement

An employee found to have violated this policy may

be subject to disciplinary action
,

up to and
including termination of employment. A violation of this policy by a temporary worker,
contractor or vendor may result in the termination of their contract or assignment with

Oglala
Lakota College
.

Definitions


Term

Definition

Oglala Lakota College

A wired or wireless network including indoor, outdoor, and

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
115


network

alpha networks that provide connectivity to corporate services.

Corporate connectivity

A connection that provides access to a
Oglala Lakota College

network.

Enterprise Class
Teleworker (ECT)

An end
-
to
-
end hardware VPN solution for teleworker access
to the
Oglala Lakota College

network.

Information assets

Information that is collected or produced and the underlying
hardware, software, services, systems, and technology that is
necessary for obtaining, storing, using, and securing that
information which is recognized as important and valuable to
an organizati
on.

MAC address

The MAC address is a hardware number that uniquely
identifies each node on a network and is required for every
port or device that connects to the network.


Revision History

Date of Change



Responsible

Summary of Change













Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
116


Automatically Forwarded E
-
mail Policy

1.0 Purpose

To prevent the unauthorized or inadvertent disclosure of sensitive company information.



2.0 Scope

This policy covers automatic email forwarding, and thereby the potentially inadvertent
transmission of sensitive information by all employees, vendors, and agents operating on behalf
of Oglala Lakota College



3.0 Policy

Employees must exercise utmost caution when sending any email from inside Oglala Lakota
College to an outside

network. Unless approved by an employee's manager InfoSec, Oglala
Lakota College email will not be automatically forwarded to an external destination. Sensitive
information, as defined in the
Information Sensitivity Policy
, will not be forwarded via any
m
eans, unless that email is critical to business and is encrypted in accordance with the
Acceptable Encryption Policy
.



4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and
including

termination of employment.



5.0 Definitions

Terms



Definitions


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
117


Email



The electronic transmission of information through a mail protocol such as
SMTP. Programs such as Eudora and Microsoft Outlook use SMTP.


Forwarded email


E
-
mail resent

from internal networking to an outside point.


Sensitive information

Information is considered sensitive if it can be damaging to
Oglala Lakota
College

or its customers' dollar value, reputation, or market standing.



Unauthorized Disclosure

The intentio
nal or unintentional revealing of restricted information
to people who do not have a need to know that information.


6.0 Revision History













Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
118


E
-
mail Use Policy

1.0 Purpose

To prevent tarnishing the public image of
Oglala Lakota College.

When email goes out from
Oglala Lakota College

the general public will tend to view that message as an official policy
statement from the
Oglala Lakota College.



2.0 Scope

This policy covers appropriate use of any email sent from a
Oglala Lako
ta College

email address
and applies to all employees, vendors, and agents operating on behalf of
Oglala Lakota College
.



3.0 Policy

3.1 Prohibited Use.

The
Oglala Lakota College

email system shall not to be used for the
creation or distribution of any disruptive or offensive messages, including offensive comments
about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs
and practice, po
litical beliefs, or national origin. Employees who receive any emails with this
content from any
Oglala Lakota College

employee should report the matter to their supervisor
immediately.


3.2 Personal Use.

Using a reasonable amount of
Oglala Lakota College

resources for personal emails is
acceptable, but non
-
work related email shall be saved in a separate folder from work related
email. Sending chain letters or joke emails from a
Oglala Lakota College

email account is
prohibited. Virus or other malware wa
rnings and mass mailings from
Oglala Lakota College

Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
119


shall be approved by
Oglala Lakota College
VP Operations before sending. These restrictions
also apply to the fo
rwarding of mail received by a Oglala Lakota College
employee.


3.3 Monitoring

Oglala Lakot
a College

employees shall have no expectation of privacy in anything they store,
send or receive on the company’s email system.
Oglala Lakota College
may monitor messages
without prior notice.
Oglala Lakota College
is not obliged to monitor email messages
.


4.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.



5.0 Definitions

Term



Definition

Email

The electronic transmission of information
through a mail protocol such as
SMTP or IMAP. Typical email clients include Eudora and Microsoft
Outlook.

Forwarded email


E
-
mail resent from an internal network to an outside point.

Chain email or letter

Email sent to successive people. Typically the bod
y of the note has
direction to send out multiple copies of the note and promises good luck
or money if the direction is followed.

Sensitive information

Information is considered sensitive if it can be damaging to
Oglala Lakota
College

or its customers' re
putation or market standing.


Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
120


Virus warning.

Email containing warnings about virus or malware. The overwhelming
majority of these emails turn out to be a hoax and contain bogus
information usually intent only on frightening or misleading users.

Unauthorize
d Disclosure

The intentional or unintentional revealing of restricted information
to people, both inside and outside
Oglala Lakota College
who do not have
a need to know that information.


6.0 Revision History











Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
121




Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
122


Get Out Of Jail Free Card


Place:_
_________

Date:__________

Type: Filing Memo

SUBJECT: AUTHORIZED LIABILITY WAIVER AGREEMENT

Contracting the act of securing information technology assets of Oglala Lakota College to
Christine Stagnetto
-
Zweig Consultant to realize Penetration Testing.

The testing team is required
to trace vulnerabilities in our resources, penetrate through them, and try to access various
resources available. It is required that the team scan our desktops, laptops, servers, network
elements, and other computer systems o
wned by this organization/institution on a regular,
periodic basis to discover vulnerabilities present on these systems and suggest measures to
secure them. In the above
-
mentioned process of performing the pen
-
test, the testing team will not
be held liable

for any damage caused to our organization’s electronic assets.

Hereby, document to be attested by following individuals:

Signature of Signature of

Test Team In
-
charge:______________ Organization I
n
-
charge:_____________

Full Name:______________________ Full Name:_______________________

Date:___________________________ Date:___________________________






Security Evaluation Report
Proposal by Christine Stagnetto
-
Zweig©2011

Page
123


Christine Stagnetto
-
Zweig Consultant

Penetration Testing Contract

This contract

is between Christine Stagnetto
-
Zweig Consultant as the provider and
Penetration Testing Services buyer, Oglala Lakota College for the supply of Penetration
Testing services by the provider for the client
.

Whereas the provider provides certain computer and

systems security consulting and testing
services including Penetration Testing services and

Whereas the client wishes to retain the provider to provide computer and systems security
services, specifically Penetration Testing services, therefore