Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

S B C

advertisement 
SERVICE BUSINESS CASE
NETWORK SECURITY
TABLE OF CONTENTS
EXECUTIVE SUMMARY .............................................................................................................................3
1.
Problem Definition ......................................................................................................................4
2.
Addressing Problem with CWU existing tools and products (i.e. PeopleSoft) .................................4
3.
Organizational Impact .................................................................................................................4
4.
Benefits ......................................................................................................................................5
5.
Strategic Alignment .....................................................................................................................5
6.
Cost ............................................................................................................................................5
7.
Alternatives (add lines as necessary) ............................................................................................6
8.
Timing / Schedule (add lines as necessary) ...................................................................................6
9.
Technology Migration/Resource Identification .............................................................................6
10. Product Life/Application Sunsetting or Decommissioning ............................................................6
11. References .................................................................................................................................7
12. Recommendation .......................................................................................................................7
13. Approvals...................................................................................................................................7
Network Security
Page 2 of 7
EXECUTIVE SUMMARY
In our current environment, Central Washington University does not implement any intrusion detection
or intrusion prevention systems (IDS/IPS). These systems are network security devices that reside on the
network and listens to the traffic. The purpose of these devices is to detect intrusions as they happen
and then prevent them from intruding on our network. This includes protocol-based inspection,
protection against advanced malware, zero-day attacks, Distributed Denial of Service Attacks, and
botnets.
The need for an effective intrusion detection/prevention solution is driven primarily by:

Best practice: We currently do not have any way of detecting intrusions on our network other
than from a forensic perspective.

PCI / HIPAA Compliance: Both the PCI and HIPAA federal compliance standards require that an
IDS/IPS system is in place.

Cedar Crestone Security Recommendations: The Cedar Crestone security assessment indicates
that the implementation of an IDP/IPS system is a critical part of the deployment of the
PeopleSoft Portal environment.
Network Security
Page 3 of 7
Sponsoring Department(s): Security Services Department
Date of Business Case Preparation: 10/8/13
Contact Person Name/Phone: Andreas Bohman / 2499
New Product/Service
If there is a draft or sample contract, please provide a copy.
Renewal of Existing Product/Service – if checked, include background information.
If there is a site license agreement, existing contract or new contract draft, please provide a
copy.
1. Problem Definition
Central Washington University currently does not have any systems or devices in place to
detect intrusions on our network. While we have firewalls in place, these devices are not
designed to detect intrusions in what is otherwise considered to be valid traffic into our
network. In order to provide for network security based on best practice, federal
compliance requirements, and the Cedar Crestone security recommendations, we have to
implement an IDS/IPS system.
PCI Compliance Language:
11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all
traffic at the perimeter of the data environment as well as at critical points inside of the
data environment, and alert personnel to suspected compromises. Keep all intrusiondetection and prevention engines, baselines, and signatures up-to-date.
2. Addressing Problem with CWU existing tools and products (i.e. PeopleSoft)
This is a network security equipment purchase and there are no other solutions that provide
this functionality in our environment.
3. Organizational Impact
Stakeholders: The primary stakeholders are the Security Services and Information Services
departments.
There is expected to be minimal impact on the rest of the CWU staff.
Training Requirements:
Depending on the solution that is decided upon, there will be training required for the
technical staff tasked with managing the IDS/IPS solution.
Network Security
Page 4 of 7
All Stakeholders:
Department
Name
Security Services
Andreas Bohman
Security Services
Jamie Schademan
Security Services
Barbara Bisson
ITS
Chris Timmons
ITS
David Hart
4. Benefits
As we are currently not able to inspect network traffic as it enters our environment, this is a
much needed functionality. We will also be in a much better position to ensure the
confidentiality, integrity, and availability of our customer’s confidential information.
In addition, we have to implement a solution that meets federal compliance requirements in
order to avoid non-compliance consequences. Lastly, as we deploy the PeopleSoft Portal,
we will be able to prevent intrusions into our business-critical data.
5. Strategic Alignment
Student success: CWU believes that student success is best achieved by providing
supportive learning and living environments that encourage intellectual inquiry, exploration,
and application.
Strategic Alignment: By providing for a secure yet highly available environment, we ensure
ready access to information will still providing our students with the confidence that we will
protect their confidential information.
Shared Governance: CWU believes that shared governance is most effective when
information systems and decision-making processes are both robust and transparent. CWU
believes that communication channels should be open and two-way and that faculty, staff,
and students should be empowered to participate in the governance systems.
Strategic Alignment: Securing our customer data is an important part of building and
implementing robust and transparent information systems and decision-making processes.
6. Cost
There is currently no funding for this business case.
The Security Services department is currently soliciting quotes from vendors for the
purchase of an IDS/IPS solution. The cost of the equipment is estimated to be $75,000.00 $100,000.00.
Network Security
Page 5 of 7
Item
Equipment Purchase
Annual Maintenance
Unit
1
1
Cost
$100,000.00
$10,000.00
5-Year Cost
$140,000.00
7. Alternatives (add lines as necessary)
Alternative
Reasons For Not Selecting Alternative
Do nothing
Exposure to intrusions into our businesscritical data.
8. Timing / Schedule (add lines as necessary)
Task
Target Date
Evaluate RFQ responses
12/15/2013
Select Vendor
12/16/2013
Purchase Equipment
01/01/2014
Initiate Implementation
01/15/2014
Complete Implementation
02/01/2014
9. Technology Migration/Resource Identification
Resource
Jan
Feb
Mar
Apr
May
June
July
Aug
Sept
Oct
Nov
Dec
Security Admin
15
10
ITS
15
5
Total Hours
30
15
10. Product Life/Application Sunsetting or Decommissioning
The expected product life for the IDS/IPS solution is 5-6 years.
Network Security
Page 6 of 7
11. References
Cedar Crestone Security Recommendations
PCI Compliance Documentation
HIPAA Compliance Documentation
12. Recommendation
It is recommended that CWU purchases an IDS/IPS solution in order to detect and prevent
intrusions into its network and data environments.
13. Approvals
The following actions have been taken by the appropriate Sub-Council (ATAC or NonAcademic Sub-Council) and University Enterprise Team:
Date
Action
By
10/10/2013
Presented to Non-Academic
Andreas Bohman
10/14/2013
Approved for Review by cabinet
Non-academic
10/14/2013
Presented to EISC
Andreas Bohman
10/14/2013
Approved for Review by cabinet
EISC
Upon approval by the Enterprise Team (ET) or one of the two Sub-Councils (Academic or NonAcademic), CWU procurement policies and procedures should be used to initiate a purchase.
Please contact the Purchasing office at x1001 with any questions regarding the procurement
process.
If you have any questions, please contact Sue Noce 963-2927 or Tina Short 963-2910.
Network Security
Page 7 of 7
Related documents
Graduate Studies and Research NAME, GENDER, OR SOCIAL SECURITY # CHANGE
Graduate Studies and Research NAME, GENDER, OR SOCIAL SECURITY # CHANGE
 Students Only CHANGE OF ADDRESS
 Students Only CHANGE OF ADDRESS
NAME CHANGE REQUEST I have legally changed my name
NAME CHANGE REQUEST I have legally changed my name
RELEASE OF INFORMATION
RELEASE OF INFORMATION
DOC
DOC
Central Washington University Department of Public Safety and Police Services
Central Washington University Department of Public Safety and Police Services
Download
advertisement