Beruflich Dokumente
Kultur Dokumente
Objectives
Describe the system development life cycle concept and its application to a secure network life
cycle.
Scenario
Superior Health Care System will be implementing many changes over the next two years. Your team will
have a major impact on the success of these changes. The CEO of the company has personally
requested that your team participant in the following initiatives:
Test our existing equipment to identify the need for upgrades and replacements.
Develop an RFP for a comprehensive penetration test of our systems and network.
Identify the critical aspects of the systems and perform a network security test.
Report all findings and make all necessary recommendations needed to secure our systems in
the future.
Tasks 9.1
Your team will be responsible for developing the first draft for the following Information Assurance
Policies:
1. Acceptable use policy
2. VPN implementation policy
3. Virus and malicious code mitigation policy
4. IDS/IPS implementation policy
5. Authentication/Authorization policy
6. Incident response policy
Tasks 9.2
As part of the reorganization, Superior Health Care System Corporations Chief Information Officer has
created an action list for your team. She has requested that your team test the following features in our
test lab facilities and report back on the results.
1. Secure network devices with AAA, SSH, role-based CLI, syslog, SNMP, and NTP.
2. Secure services using AutoSecure and one-step lockdown.
2009 Cisco Learning Institute
3. Protect network endpoints, such as workstations and servers, against viruses, Trojan Horses, and
worms with Cisco NAC, Cisco IronPort, and Cisco Security Agent.
4. Use Cisco IOS Firewall and accompanying ACLs to secure resources internally while protecting
those resources from outside attacks.
5. Supplement Cisco IOS Firewall with Cisco IPS technology to evaluate traffic using an attack
signature database.
6. Protect the LAN by following Layer 2 and VLAN recommended practices and by using a variety of
technologies, including BPDU guard, root guard, PortFast, and SPAN.
Tasks 9.3
We would like you to draft a two page document detailing the framework and components of a corporate
wide information assurance education, training and awareness program. Please provide examples and
resources that support your proposal.
Tasks 9.4
Our senior management team wants to make sure we have thoroughly tested and strengthened our
systems and network. In an effort to respond to this priority, the Chief Information Assurance Officer has
directed your team to compose an RFP to identify a company contracted to perform a penetration test on
our systems and assist our staff in mitigating potential risk and vulnerabilities. Please have your team
draft the document and make sure they include the following activities as part of the request:
Internal/Intranet Testing
Clients, Servers
Databases
Switches
Routers
Intranet
IDS - IPS
Patch Management
Virus/Spyware
External/DMZ/Extranet
Web Sites
Database Mining
Mail Servers
DNS Servers
FTP Servers
VPN Servers
Wireless Networks
Firewalls
Physical Security
Server Room
Back-up Media
Key Loggers
Documentation
Lock Picking
Hot Jacks
Phone Systems
Covert Wireless