Fictional Company

In order to have a basis to work from in completing a statement of applicability (SOA) a fictional company was needed. In this case I chose a “dummy” company that was used in a previous class (Security Assessment Methodology). The name of the company is N.E.W.T, and it specializes in the development of electronic tools (i.e. viruses, techniques, logic bombs, computer worms, and other exploits) for the use in technological warfare. The company’s sole customer is the United States Government.

The company is not a multi-site company and all development, due to the sensitive nature of the work, is done in-house. Both physical and network security is a necessity and as a result there are a few things that are not allowed as a company. The development area is a lab that works off of its own intranet and is physically separated from the rest of the facility by security access doors. Other than one administrator machine that is connected to the company’s business intranet exists inside the lab while the development and test machines are digitally separated from it. No off-site work is allowed (i.e. telecommuting or remote desktop work) in either the business side or the lab portion of the company. Also, the only wireless access points that exist are inside the lab and are test equipment only. There are no wireless access points used in the business side and the lab is specifically designed (via building materials) to not allow wireless signals from the test equipment outside the lab.

 

SOA Summary Document

 

A – 6.2.1: While this is applicable, the only third party that will have any sort of access to the systems would be security auditing firms.

A – 9.2.5: Due to the sensitive nature of what is being developed at N.E.W.T all development is done “in-house”. As such, there is no off-site equipment to secure.

A – 10.9.1: The nature of the company does not require any electronic commerce (there is no online store or financial transactions online). All financial transactions are handled by government contract and are not processed at the facility.

A – 10.9.2: There is no need for online transactions so there is nothing to secure.

A – 10.9.3: Due to the sensitive nature of what is being developed at N.E.W.T there are no publically available systems. The only public area in the facility is a reception area which has no public kiosk, public wifi, or other access to N.E.W.T.’s network or equipment.

A – 11.4.2: Due to the sensitive nature of what is being developed at N.E.W.T no external connections to the network (i.e. remote desktop or telecommuting) is allowed. All incoming ports and/or remote connection equipment has been removed or disabled.

A – 11.7.1: Due to the sensitive nature of what is being developed at N.E.W.T no external connections to the network (i.e. remote desktop or telecommuting) is allowed. All incoming ports and/or remote connection equipment has been removed or disabled.

A – 11.7.2: Due to the sensitive nature of what is being developed at N.E.W.T no external connections to the network (i.e. remote desktop or telecommuting) is allowed. All incoming ports and/or remote connection equipment has been removed or disabled.

A – 12.2.1: There is a limited amount of data processing involved with what is developed at N.E.W.T and what little there is usually is experimental. As such there is no real need for data validation controls.

A – 12.2.2: There is a limited amount of data processing involved with what is developed at N.E.W.T and what little there is usually is experimental. As such there is not enough need for internal processing controls.

A – 12.2.4: The systems that are in use do not produce an “output” that would require data validation as a security measure.

A – 12.5.5: Due to the sensitive nature of what is being developed at N.E.W.T there are no circumstances where a third party would be allowed to do software development for the company. As such there is no need for this type of control.

A – 15.3.1: In order to ensure a high level of security (as required by government contract) all auditing is carried out by an authorized third party, and as such this particular control falls to them.

A – 15.3.2: In order to ensure a high level of security (as required by government contract) all auditing is carried out by an authorized third party, and as such this particular control falls to them.