QUESTION 1
Assume that you are an IT manager in an profit organization. The company requires you to come up with an information security plan documentation to help the company manages their information security services more efficiency.
As such, you are required to produce 8-10 pages of information security plan documentation for your company. Among the items needed in the documentation are:
1. Objective
2. Purposes
3. Action Plans
4. Action Steps
5. Any other related items
6. Documentation format (example : table of contents, page no, and etc.)
PERISAI SAMUDRA’S SECURITY PLAN
1. INTRODUCTION
Perisai Samudra is a firm specializing in high-adventure travel packages. Staff includes designers, travel agents, sales and marketing personnel, and the administrative team that supports them. The staff also includes the senior management of the business and the financial controller.
2. OBJECTIVE
The main objective of this security plan is to view of the security risks facing by the firm and take prompt action to reduce the company exposure. It is a plan to avoid disaster such as virus attack and/or unforeseen threats.
3. PURPOSES
Information security is based on making sure information is available only by those who should have access to it (confidentiality), is modified only by those who are authorized to do so (integrity), and is available when and where it is needed (availability). Based on this statement, the purposes of this plan are:
a) Protect against any anticipated threats or hazards to the security or integrity of our company’s confidential information;
b) Protect against unauthorized access or use of company’s system by hackers that could result in substantial harm or inconvenience to the company.
3. ACTION PLANS - IDENTIFY, ACCESS AND EVALUATE
3.1. Skills and Knowledge
IT Manager who is familiar with Perisai Samudra’s systems and computer security will be fully in-charged together with a Technology consultant from Micron Expert as an expert guide and computer software/hardware supplier.
3.2 Network and Systems
The company’s technology equipments are as follows:
| EQUIPMENT | QUANTITY | DESCRIPTION |
| Desktops | 22 | 1 per member of staff plus two old machines acting as print servers |
| Printers | 2 | 1 high-end plotter and one printer-fax unit for general use |
| Laptop computers | 4 | Directors and sales personnel use |
| Servers | 1 | One (a computer that runs Windows Small Business Server 2003 and manages the Internet connection, e-mail, and our customer database |
| Internet connection | 1 | 1.5 Mbps cable modem connection. The server and several of the computers are linked by 100 Mbps Cat5 Ethernet cables. The remainders are linked by an 802.11g wireless network with an access port. |
All computers run Windows XP Professional except for the two print servers and two administrative computers, which run Windows 98.
3.3. Security
To compare each computer against the checklist in the Security Guide for Small Business and also to ran the Microsoft Baseline Security Analyzer. These actions shall cover the followings:
PROBLEM | REMARKS |
| Virus protection | To update on each computer – user aware of viruses but unsure on how to prevent it. |
| Spam-filtering software: | Many users have begun to complain about spam, but no protection is in place. |
| Firewall: | No firewall |
| Updates: | All the Windows XP Professional systems are up-to-date because they were automatically checking and downloading updates. -several installations of Microsoft Office need updating, and the Windows 98 computers are not updated. |
| Passwords: | Most PCs are not using passwords or had them written on Post-it notes. Laptops are not password protected. |
| Physical security | - Building and window locks, doors, and alarms are in good condition. - However, none of the computers has a serial number etched on its case, and we didn't have a log of the serial numbers. - Printer sharing – could risk of confidential documents being left by accident. |
| Laptop computers | No security locks. |
| Wireless networking | The wireless network is open to people who have wireless access capability to snoop on the network or freeload on the Internet connection. |
| Web browsing | Web browsing - unrelated to work due to no policy on acceptable use and security measures. |
| Back-ups | Back up data on the server to a Digital Audio Tape (DAT) drive on a weekly basis,. The server contains the company’s primary customer database, so well-tested backups are essential, as is keeping a copy of backups offsite. |
3.4 Assets
Other main assets are:
· Product designs and marketing collateral
· Records of contracts with vendors
· E-mail database and archive of past e-mail messages
· Sales orders and the customer database
· Financial information
· Line-of-Business (LOB) software for online booking and reservations
· Paper legal records stored in various filing cabinets
All these assets are considered confidential and should be accessible only by authorized personnel. These assets need to be protected and backed up.
3.5. Risks
Risks could be break down into four main categories:
| RISK | DESCRIPTION |
| Intruders | Viruses, worms, hijacking of our computer resources or Internet connection, and random malicious use. These are the risks that anyone using computers connected to the Internet faces. High risk, high priority |
| External threats | Rivals, disgruntled ex-employees, bad guys after money, and thieves. They are likely to use the same tools as hackers, but in deliberately targeting us they may also try to induce members of staff to supply confidential information or even use stolen material to blackmail or damage us. We need to protect our assets with physical and electronic security. High risk, high priority. |
| Internal threats | Whether accidental or deliberate, a member of staff may misuse his or her privileges to disclose confidential information. Low risk, low priority |
| Accidents and disasters | Fires, floods, accidental deletions, hardware failures, and computer crashes. Low risk, medium priority. |
3.6 Priorities
1. Intruder deterrence:
· Firewall
· Virus protection
· Strengthening the wireless network
· Replacing the four computers running Windows 98 with computers running Windows XP Professional with SP2
· Ensuring that all computers are configured to be updated automatically
· Ongoing user education and policies
2. Disaster prevention:
· More frequent backups with offsite storage
· Ensure backup of users' local data
· Offsite backup of critical paper documents
· Regularly testing the backups by performing a restore
3. Theft prevention:
· Laptop computer security
· Security marking and asset inventory
· Moving the server into a secure, lockable room
· Security locks for desktop and laptop computers
4. Internal security and confidentiality:
· Strong password policy and user education
· Secure printers for accounts, HR, and directors
· Review security for filing cabinets and confidential documents
4. ACTION STEPS
4.1. Necessary Action Steps
1. Configure computers running Office Outlook 2003 to use Junk E-mail filtering. Select, purchase, and install spam-filtering software on the mail server, if necessary.
2. Select, purchase, and install a hardware firewall (or ask our ISP or technology consultant to provide one).
3. Make sure that antivirus software is installed on all computers and that it is set to automatically update virus definitions.
4. Enable Windows Firewall on the server and on all desktop computers.
5. On the wireless network, disable service set identifier (SSID) broadcasting, choose and configure a sensible SSID, enable WPA encryption, enable MAC filtering, and configure the access point to allow traffic only from the desktop and laptop computers in the office.
6. Security marks all desktop computers, laptop computers, and their components.
7. Review all machines to make sure that they are fully updated, and set them to automatically refresh those updates.
8. Buy new, nondescript laptop computer bags and locks.
9. Replace the four computers running Windows 98 with computers running Windows XP Professional with SP2.
10. Find a suitable, lockable room for the server and move it there.
11. Buy and install desk security locks for desktop computers.
12. Log all serial numbers.
13. Review backup and restore procedures. Ensure that user data is either stored on the server or copied across regularly prior to backups. Implement daily backups. Ensure that a full backup goes offsite once a week. Ensure that the backup is password protected and encrypted. Review paper documents, and make photocopies for secure offsite storage of critical documents.
14. Buy cheap printers for accounts, HR, and the two directors so that they can have private documents printed securely.
15. Configure workstations to log users out and require a password to log on again if the workstation is idle for more than 5 minutes.
16. Configure Small Business Server 2003 and individual machines to enforce reasonably strong passwords. Discuss with users what would be an acceptable balance of convenience and security. (We don't want them writing down their new passwords.)
4.2. Response Planning
The server and firewall will be monitored regularly to make sure that no security breaches have occurred such as virus infections.
4.3. Ongoing Maintenance and Compliance
On day to day basis - subscribe to security bulletins from Microsoft and antivirus software supplier, and meet monitor compliance with the new policies. On a monthly basis – update Windows and antivirus software and that the back-up and restore procedures are working properly. New computer equipment is properly configured and up-to-date and new staff joining the company are fully trained in the company’s security policies and procedures.
4.4 Policy Changes
New policy changes shall be updated by Administration Manager in the staff handbook on:
- Acceptable use of e-mail and the Internet
- Use of passwords
- Who can take company property away from the office
Before being rolled out this new policy draft will be reviewed by the directors and the company’s attorneys.
4.5 User Education
Two hours of user training in small groups shall be conducted, which cover:
- The importance of security, Passwords and Laptop computer security
- Virus prevention and Safe Internet browsing
- Updating software and operating systems from a server
- Introducing the new staff policies
- Making sure employees understand the consequences for not complying with policies
- Assessing employees' understanding of the new policies
- Periodically reviewing the practice of the new policies
4.6 Project Time Line and Responsibilities
| • | The top 3 priorities - firewall, virus protection, and strengthening the wireless network - will receive urgent attention from IT Manger and IT consultant, Micron. |
| • | The remaining tasks will be done by selected staff in order of priority. The top 3 priorities are expected to be completed within a week and the remaining tasks within 30 days. |
| • | Administration Manager shall be responsible for purchasing and implementing the technical changes and also for all the policy and training requirements. IT Manager will oversee the project and be responsible for any other tasks that arise. |
6. RESOURCES AND BUDGET
6.1 Software and Hardware
The following expenditures are recommended to do the above:
· Purchase antivirus software.
· Configure Office Outlook 2003 to filter junk e-mail.
· Install a hardware firewall.
· Replace the last four desktop computers running Windows 98 with computers running Windows XP Professional with SP2.
· Purchase security locks and new nondescript laptop computer bags.
· Check into additional backup media.
6.2 Professional Advice
| RESOURCES | DESCRIPTION |
| External Resources | - Legal Adviser to review the company rewritten staff policies - Micron to advise and help on implementation |
| Internal Resources | IT Manager and appointed staff |
No comments:
Post a Comment