Monday, June 10, 2013

Proposed Occupy Wall Street (OWS) Information Security Plan



Proposed Occupy Wall Street (OWS) Information Security Plan



Hippie Top Secret

Abstract

Information security is vital to accomplishment of the Occupy Wall Street’s (OWS) mission to facilitate a change in the current social, economic and political landscape. This document will provide a high level outline of specific security practices needed to ensure proper security controls are implemented to safeguard organizational information assets.



Introduction

The following policy will provide a high level overview of the organization security policy. Implementation of these controls will minimize risks and impacts of security incidents and will ensure that organization’s and member’s information is properly protected.

Access Control
Managing access to information and proper authentication and authorization of individuals is critical. Each member will be issued an identification card that will contain a picture and a small chip with an SSL certificate. The cards will require a 16 digit pin number to be activated. These cards will be required to access any information resource such as social media, intranet, OWS computers and other information systems.

Telecommunications and Network Security
Due to physical disparate network architectures, all members will be required to use Tor network client and then VPN into the corporate network. Juniper endpoint manager will be used to scan the connecting computer prior to connection and its settings will be configured for maximum security ensuring that no one’s computer is ever able to connect. This will provide additional cost savings by eliminating the need to purchase any additional VPN equipment.

Information Security Governance and Risk Management
A dedicated department of the most paranoid hippies will be established to develop organizational risk management strategy. All hypothesis, theories, news, delusions, concerns and fears will be taken as fact; no matter how unrealistic or unfounded. A risk management plan will be maintained to manage all of these concerns.

In addition, HR policies will incorporate mandatory background checks for all new personnel and members. Unless, the applicant has at least one felony and two misdemeanors, they will be automatically disqualified from employment.

Strict policies will be put in place to ensure cooperation of members, all personnel and work related communications will be intercepted, through mandatory internal software security package, and peer reviewed for signs of treachery. Access to employee’s social media accounts will also be required upon employment.

Software Development Security
Only open source and foreign software will be used on corporate resources. Several linguists may be necessary to translate the software to day to day business users. However, that is the only way to ensure that no government back doors are incorporated into the software.

Cryptography
All data at rest will be encrypted with AES symmetric encryption, all servers and mobile computers will require full disk encryption, as it works, someone will need to be present to physical reboot the servers every time. All data in transit will require 2048-bit encryption to ensure maximum security.


Security Architecture and Design
To facilitate overall secure architecture, all logs will be set to maximum logging and someone will go through them every day. To ensure nothing is missed, script parsing or aggregation will not be allowed.

Operations Security
All information systems will be patched daily; and only during core hours of 8 am to 5pm. No maintenance outside of this time window will be performed. Back-ups will also run during this time window to ensure the most up to date backup. In addition, all systems will be configured to run full daily antivirus scans, preferably starting at 9am.

Business Continuity and Disaster Recovery Planning
A disaster recovery and business continuity plan will be established. The business continuity plan will identify critical organizational functions and ensure adequate controls are in place for availability in case of a disaster. The business continuity plan will specifically focus on continuation of complaining and protesting after being evicted from public locations.

Legal, Regulations, Investigations and Compliance
All legal compliance will be taken very seriously! All member medical records will be immediately printed and stored in a huge safe, all digital copies will be deleted immediately after printing.

Physical (Environmental) Security
All facilities will be secured with a security checkpoint that will encompass armed guards, bomb sniffing dogs and polygraph detectors. Each person entering or exiting the facility will be required to present issued ID card, two other forms of picture ID and a biometric hair sample. In addition, they will be subjected to a search and a mandatory polygraph test.

In addition, the security checkpoint should always be understaffed, ensuring minimum number of persons pass each day. This will provide cost savings in procured office space.