Action Plan Proposal

Implementing Network Access Control System

On Government Network

[Date]: 25.07.2017
[Name]: Genc Jakupi
[Organization Name]: Agency for Information Society
1. Back ground of my action plan
(1) Vision / Mission of my organization
Provisioning of electronic services effectively and efficiently to citizens, businesses and
institutions themselves based on European standards
(2) Strategy of my organization
• Electronic Governance strategy 2016-2020 • National Cyber Security Strategy and
1. Modernizing Public Administration;
Action Plan 2016-2019
2. Rationalization of public administration expenditures; 1. Critical information infrastructure protection;
3. Standards for systems development in enhancing 2. Institutional development and Capacity building;
the quality of electronic services; 3. Building Public and Private partnership;
4. Implementing interactive/interoperability platform for 4. Incident response;
integration of systems. 5. International Cooperation.

(3) Strategy of my division / department

• Security and protection of electronic communications infrastructure and data;
• Plans, manages and administers the government information technology systems and data center.
• Critical information infrastructure protection;
• Cyber security incident response;

(4) My role in my organization

• Analyzing security threats and vulnerability’s on Government Institutions;
• Configuration and monitoring of firewalls, core routers and switches and other security devices;
• Applying and updating security policy’s on Government network, responding on security incidents;
• Managing network and security infrastructure of National Data Center.
1. Back ground of my action plan

AP SCOPE
All Government Network
Director of Agency for
authorizer
Managed by AIS Information Society
(AIS)
Administrative Procurement
Assistant Sector
1 staff 4 staff

Directorate for Directorate for Directorate for Directorate of Directorate for

Development of Rationalization of Management and Central Operations Network and
e-Governance Administrative Processes Integration of and Security Telecommunication
10 Staff 8 staff Software 11 Staff 15 staff
8 staff
Monitoring and

and Promotion

Rationalization

Administration
Analyzing and

and Design of
of Processes

Integration of
Management
Governance

Sector for IT

Data Centre
(My Group)
Assistance

Telephony
Monitoring

Promotion

Sector for
Sector for
Electronic
Sector for

Sector for
Sector for

Sector for
Sector of

Sector of

Sector of

Software
Software

Systems
Policies,

Analysis

Systems

Network
National

of State
security

10 staff
Online

4 staff
6 staff

3 staff

4 staff
3 staff

4 staff

6 staff
4 staff
3 staff
of e-

and
2. Problem
(1) What are the problems in my work place?
a. State Data Center does not have a Business Continuity Site. All services that are hosted on this Data Center
will be inaccessible in case of problems on primary site.
b. Intruders, guest users, government employees etc. can connect their devices (computers, mobile phones,
tablets etc.) on government network without authorization, causing problems like: interrupting network
connectivity, spreading viruses, attacking internal services and resources etc.
c. Difficulties on monitoring network traffic flow on government network, causing delays on resolving network
interruptions and problems.

(2) Evaluate problems and decide a core problem

Importance for Urgent to solve Relation with Relation with [Evaluation]

the organization my role OIC course Total Score 2 : Most Appropriate

1 : Appropriate
(B) (A)+(B)+(C)+(D)
(A) (C) (D) 0 : Not suitable

a. 2 2 2 1 7

b. 2 2 2 2 8

c. 2 2 2 1 7
2. Problem
(3) Analyzing causes of the problem which I will solve in my action plan

Root causes
Old security policy and no standard
operating procedure that clarifies
which devices can be connected to
Lack of standard operating government network. There where no proper training for
procedures and clear policies for staff members, on how to write
network connectivity good security policies and standard
Lack of knowledge, on how to write operating procedures
good security policy and standard
operating procedures

Intruders, guest users,

government employees etc. can
connect their devices (computers, Not enough data on monitoring
system that shows which device is No system installed on
mobile phones, tablets etc.) on government network, that will block
government network without causing problem on network
It takes to much time for staff malicious and unauthorized
authorization, causing problems members to identify cause of devices to access network, and to
like: interrupting network problem. send notification on monitoring
connectivity, spreading viruses, Manually must identify which system if such a violation occur.
attacking internal services and device is causing the problem
resources etc.

Limited budged for procurement of

There is no system installed on needed system and for training
government network that blocks staff members.
automatically unauthorized access
Difficult to block unauthorized
access on government network.
Not enough knowledge how to No training for staff members on
configure controls that prevent managing network access control
unauthorized access system
2. Problem
(4) Current business & system image
Internet

Government
Network

unauthorized
Virus No authorization Guest User
required

unauthorized unauthorized

Virus
Virus
Virus
Government
Employee

Internal Services
and Resources

Intruder
2. Problem
(4) Current business & system image
 Agency for Information Society (AIS) is responsible for offering electronic services to almost all
government institutions of Republic of Kosovo and to its citizens. To offer these services AIS operate
with government network, which is spread on all these institutions.

 In government network there is no control (system) or good security policy in place, that will block
unauthorized access on this network and enforce users to obey to security controls. Because of lack
of such a control (system) and security policy on government network, intruders, guest users and
government employees have possibility to connect their devices on our network and do malicious
things to our internal and external services, spread viruses to other devices, interrupt network
connectivity etc.

 It takes a lot of time and workload to implement manual Access Control Lists on network devices.

 Approximately 65% of computers connected on government network, are not updated regularly with
security patches.

 More than 40 unauthorized Wireless Access Points are connected to government network.

 All these problems go without notice from our monitoring and risk analysis system.
3. Solution
(1) Theme
Improving information security, by controlling which devices can connected to
government network.

(2) Scope
 Reviewing security policy and writing standard operating procedure that will define what devices
can have network access on government network and with what privileges.
 Implementing network access control system on government network that will prevent
unauthorized access and will enforce security policies to end-devices.
 Implemented system will affect government network of Republic of Kosovo that is managed from
Agency for Information Society.

(3) Deliverables and when

 Revised security policy and written standard procedure that will explain all necessary measures
that must be taken before one device is connected to government network: by Mar. 2018.
 Tender document with technical specifications for network access control system: by Apr. 2018.
 Training report for trained staff members: by Oct. 2018.
 Documentation and report of implemented system: by Oct. 2019.
3. Solution
(4) Future business & system image

Internet

Government
Network

authorized
Access Guest User
Denied
authorized
authorized

Access Government
Employee
Denied

Internal Services
and Resources

Intruder
3. Solution
(4) Future business & system image
 Every device that will try to connect to government network managed by AIS, first must meet
conditions by our security policy:
 device must be authenticated,
 must have antivirus software installed,
 must have all security updates installed,
 must be part of our domain etc.
 After the device is authorized, it will have access only to resources that user is allowed to access.
For guest users system will allow access only to limited resources. For unauthorized devices
system will block access to our network.
 This system will limit virus spreading inside our network.
 Network and security administrators will know exact security status (antivirus software, security
updates etc.) of devices that are connected to government network.
 This system will eliminate unauthorized Access Points that are installed on government network.
 New system will be integrated with other security devices (SIEM), to perform better monitoring
and event correlation.
 With this system on place we are prepared to implement BYOD (Bring Your Own Device) concept
on government network.
4. Effect of the action plan
[ Qualitative Effect]

• Reduces risk of network attacks from intruders.

• Blocks virus spreading on internal network from infected devices and blocks
unauthorized access to internal services and resources.
• Reduces unnecessary traffic generated from infected devices.
• Shortens time to implement Access Control Lists (ACL) on internal network.
• Improve vulnerability assessment, incident response and remediation.

[Quantitative Effect]
• Reduces number of computers that are not part of our domain from
approximately 10% to 1%.
• Increase number of devices that are up to date (antivirus signature and
security patches of OS) from 65% to 97%.
• Eliminate all unauthorized Access Points that are connected on government
network.
5. Implementation schedule
Nov Dec Jan Feb Mar Apr … Jul Aug Sep Oct … Sep
No. Phase 2017 2017 2018 2018 2018 2018 2018 2018 2018 2018 2019

Revise and get approval

1
about my action plan

Revise security policy and

write standard operating
2
procedure for network
connectivity
Preparing tender
document with technical
3
specifications for network
access control system

4 Procurement procedures

5 Training staff members

Implementing and
documenting network
6
access control system on
government network.
6. Project Team Structure

Position: Director of
Mr. Gani Directorate for Central
Zogaj Operation and Security
Role: Supervisor

Position: Security Position: Director of Position: Security

Mr. Genc Analyst of IT Ms. Merita Directorate for Network Mr. Sahit Sector Manager
Jakupi Role: Project Seferi and Telecommunication Mushkolaj Role: Advisor
Manager Role: Advisor

Position: Manager of Position: Security Position: System Mr./Ms. IT on Position: IT

Mr. Mubekir Sector for Network Mr. Alban Analyst of IT Administrator Help Desk
TBD other government Role: Project
Beqiri Administration Cenaj Role: Project Role: Project
Role: Project Leader Member Member institutions Member

Position: Network Position: Network

Administrator Administrator
TBD TBD Role: Project
Role: Project
Member Member
7. Cost for the action plan
[ Initial cost] (Nov. 2017 – Sep. 2019 )
Item Unit Cost Volume Cost
Network Access Control $80,000 (1 year license,
1 $80,000
Appliance 25,000 endpoint devices)

Initial configuration support $20,000 1 $20,000

$0 / man-month (covered by monthly

Personnel Cost 48 man-month $0
salary)

Training cost $1,200 6 $7,200

Total Cost $107,200

[ Running cost]
Item Unit Cost Volume Cost
License yearly renewal cost $80,000 (1 year license) 1 $80,000

Maintenance support 0 It is included on license

Total Cost $80,000

8. Risk for the action plan
[Risk for implementation of the plan]

1) Some devices are old and may not be compatible with network access control
system.
2) Team members may be to overloaded with project and their daily tasks. Because
of this overload some staff members will hesitate to support the project, that will
require more commitment from them.
3) Some management staff on government institutions may try to escape these
restrictions through putting pressure on AIS management.
4) During implementation phase, network connectivity issues may happen. Some
users (government employees, contractors and guest users) will not be able to
access their data and resources due to implemented restrictions etc.
8. Risk for the action plan
[Countermeasures for the risk]
1) Old devices must be changed to new one, or in some cases they must be upgraded
on new version, in order to be compatible with network access control system.
2) Daily tasks must be assigned to other staff members and management staff must
find ways to motivate project members.
3) Awareness campaign must be done before the implementation, in order to explain
security policies to all users and specifically to other government institutions
management staff.
4) Manuals and guidelines must be formulated and distributed to all users before
starting the implementation. Number off staff on call center must be increased in
order to give response and solution to users complains. System implementation
must be done in good coordination with IT staff in each government institution, in
order to shorten the time of this inaccessibility of system from government
employees. Guest users and contractors may use government wireless network.