Create a Security Plan and Policies for SnowBe Online

Create a Security Plan and Policies

Objectives and Outcomes:

Upon completion of this activity, you should be able to:

Demonstrate that you understand and can create a security plan outline.
Show that you understand and can create a security policy template.
Compose security policies using the security policy template.
Construct a security policy for PCI compliance.

Company: SnowBe Online

SnowBe Online is a lifestyle brand for those who love the beach and snow. The owners started the company with a laid-back culture. Their customers instantly connected with their brand taking them to $100 million in sales in three years. After being so successful, the management team decided to take the company public.

The majority of their sales are processed online through their website, housed on the AWS platform.
All credit cards are accepted and stored on the company's website database.
All customer information and purchase history are stored on the website indefinitely.
They have multiple storefronts in the U.S. and Europe, which accept checks, cash, or credit cards. The credit card transactions are processed using bank-provided credit card terminals in each store.
There are twenty desktops and thirty laptops in the main office in Los Angeles.
The desktops are used to run the business and customer support.
The thirty laptops are used for sales (retail and wholesale). The laptops use a VPN to log into the office to access company applications.
There are six servers (on-premise and AWS) for access management, storage, customer relations management, order management, accounting, and vendor applications.
As a result of SnowBe's laid-back culture, they neglected to implement technical controls and processes. As a result, they recently hired a technical consultant to get their neglected system and processes under control. The consultant started with implementing controls using the NIST 800-53 framework.

The technical consultant was impressed to find a well-run company with no reported technical issues or breaches despite SnowBe's laid-back culture. Although, there had been a few attempts that did not cause any harm or alerts to worry anyone. The technical consultant analyzed the risk of the company using the NIST Risk Management Framework. Here are some initial steps he suggested:

The need to update the firmware of all network devices.
The need to update the patches for all PCs and Windows servers to ensure they are on the latest Windows version.
The need to update their Anti-Virus and backup software.
The need to implement more processes into the access management system since most employees had access to almost all of the data on each server.
The need to lock the servers in a secured area of the office.
The need to update the company's WordPress shopping cart.
The need for PCI compliance before issues occur.

Please write each question and place the answer on the next line.
Please answer each question or section of a question separately. (Please see Rubric for clarification.)
Elaborate on your answers to demonstrate your depth of knowledge for this week's topics.

Format the Security Plan template.

Create a professional looking format for the Plan Template document located in the Resources section.
Feel free to use generic information for now for any data, such as names, dates, reasons, etc. - that might be needed.
Be sure to cite any information that you copy.
See the deliverables section below on how to deliver this task.
Name this file lastFirsname_security_plan_template

Search the Internet and locate 2 additional IT Security Plans. You may NOT use the USF Security Plan that is shown in the videos.
Compare and contrast the 2 IT Security Plans that you located on the Internet and the Plan that you formatted in item 1 above.
You must detail a minimum of 5 similarities for each (10 total). Be thorough in your comparisons.
You must detail a minimum of 5 differences for each (10 total). Be thorough in your explanation.
Be sure to include a PDF or embed the link for each policy.
Name this file lastFirsname_security_plan_comparison

Format the Security Policy Template. This template will be used for all of the policies that you create, and if it is not correct, then your future work will also be incorrect.

Create a professional looking format for the Policy Template document located in the Resources section.
Feel free to use generic information for now for any data, such as names, dates, reasons, etc. - that might be needed.
Be sure to cite any information that you copy.
See the deliverables section below on how to deliver this task.
Name this file lastFirsname_security_policy_template

Be sure to duplicate your Policy template for each policy.
Using the SnowBe company above, select 5 of the top items that would need a security policy.
HINT: Look at SnowBe and find the top 5 vulnerabilities, NOT PCI.
Prioritize the 5 policies based on the level of importance for the company.
Be sure only to select Security Compliance and Privacy items. Do not use PCI Compliance. You will document PCI compliance in item 4.
Create a Security Policy for EACH of the 5 vulnerabilities that you identified
Be sure to number and name the policy correctly.
You do NOT have to write the policy yourself.
Feel free to search the web for policies that match your 5 items and place the content into your security policy template. (Be sure to cite any information that you copy.)
Name each file lastFirsname_XX_Policy (where XX represents the name of the policy)

Create a PCI Compliance Policy for SnowBe.

Place the policy on your Security Policy Template. Be sure to rename it correctly.
Feel free to use the CONTENT of this template https://www.buffalo.edu/administrative-services/policy1/ub-policy-lib/pci-compliance.htmlor use any other.
Feel free to use generic information for now for any data, such as names, dates, reasons, etc. - that might be needed.
Name this item lastFirsname_PCI_Policy

Duplicate your Security Plan Template, rename it SnowBe Security Plan.
Update the Plan to include the appropriate information from the policies that you have created this week. (There should be a total of 6.) This includes:
Policy Number and Name
Policy Purpose
Update the Definitions section if applicable.
Update the Roles and Responsibilities section if applicable.
Name this file lastFirsname_security_plan_week1

Ensure to review the Rubric below for this assignment, so you are familiar with how you will be graded.

Documents for class:

SnowBe IT Policy Template
A cover page or header that contains:
Status - draft, under review, implemented, etc.
Document Owner
Last Review Date
Version
Purpose
Scope
Definitions
Roles & Responsibilities
Policy
Exceptions/Exemptions
Enforcement
Version History Table that includes:
Version #
Change Date or Implementation Date
Document Owner
Approved By
Description

SANS Template library
Introduction (intent and purpose

Scope
Definitions - formatted in a manner that would allow the user the ability to quickly scan the list and locate the term in question. Here are some examples of how this can be accomplished by:
Placing the term in bold and the definition in normal text.
Placing the term (in bold) on one line and the definition below it.
Utilizing a subtle shading of every other term.
Roles & Responsibilities (see formatting suggestions for Definitions)
Statement of Policies, Standards and Procedures
Policies
Standards and Procedures
Exceptions/Exemptions
It's also a good idea to include a Version History Table that includes:
Change Date or Implementation Date
Description