Information Systems Security - Report Example

Database Security al Affiliation: Section I: Users Data Access Needs The users for this database would include tenants andthe building managers. All users will have access to the database. However, this will be limited to the information a user is expected to provide or use. This database will entail information pertaining to tenants’ information, including bio data and financial records as pertains their occupancy. Building managers will have administrator privileges, allowing them to edit and/or update all information pertaining to the building they manage. Building Manager Table Name SELECT INSERT UPDATE Constraints Tenant Lease Agreement × × × Only for the buildings they manage Building × × Only for Buildings they manage Manager × × Only for the buildings they manage Tenant × × × Only for the buildings they manage Rent Revenue × × × Only for the buildings they manage Apartment Maintenance × × × Only for the buildings they manage Expense Type × × × Only for the buildings they manage Expenses × × × Only for the buildings they manage Tenant Table Name SELECT INSERT UPDATE Constraints Tenant Lease Agreement × × Only for the buildings their apartment Building Manager Tenant × × × Only for their contacts Rent Revenue Apartment Maintenance × × Only for their Apartment Expense Type Expenses Section II: Security Plan Tenant information is one of the most crucial facets of information for any business within the real estate industry. As such, the company ought to put in place structures that will ensure information security in two main ways, (1) authentication and authorization, and (2) general policies and procedures. The firm’s database containing all information pertaining to tenants and other aspects of the business will be stored in two main servers. These servers will be accessible by all tenants and building managers. Login Accounts Every database user will have a login account that will allow them access to the database. There are two general types of accounts, (1) tenant accounts for tenants, and (2) manager accounts for building managers. Each account will determine the scope of information that the given user is allowed. While manager accounts will have administrator privileges, tenant accounts will have very limited access to the database. Each login account will have a password that will be created by each user upon creation of the account. Firewall A firewall is in essence a baseline control for the securing of any network environment of any enterprise. Routers are usually integrated with a firewall. Examples include software based packet filtration and Network Address Translation. A distinct firewall that is hardware based is recommended. This is due to the disturbing fact that hackers in this time and age employ advanced technology and methodologies that they use to breach networks. A good example of this is APT (Advanced Persistent Threats). These employ advanced phishing techniques and complex algorithms. The threat posed by such security menaces may damage a company’s reputation or compromise the integrity of its confidential information, causing it to lose clientele as banks would in the case where credit card numbers are leaked. Intrusion Detection System The use of a firewall supplemented by an antivirus is not sufficient to ensure information security. An intrusion detection system will be put in place. An intrusion detection system is vital for the security of any corporate network as the system would issue an alert preceding an attack. The alert enables the relevant technician to quickly identify the computer that is compromised, isolate it and initiate an action plan to mitigate and eliminate the threat in question. When an IDS generates alerts, it can send them to a console in the security centre, to a mobile phone, or via e-mail. Discuss the pros and cons of each. IDS alerts hold numerous key benefits. One key advantage of the IDS alerts is the prior notification of an impending breach in the corporate network. This gives the respective network and computer technicians time to isolate the computer and device an elaborate and adequate action plant to counteract, mitigate and eliminate the threat. Furthermore, the delivery of these alerts is ideal in the manner in which the alert is sent to the concern personnel. This is usually through the more proffered SMS. In the case where the alerts are transmitted through email, the relevant employee may not be available or have access to a computer at the time, rendering the information ineffective. Therefore, messages and alerts generated by the IDS have to be transmitted through a secure medium that is also reliable and accessible at any moment in time. Other aspects of the IDS alert system that have to be put into consideration include: SMS alerts have the highest probability of reaching the relevant security administrator. However, alerts transmitted through medium have to be high-probability attacks. Otherwise, the alerts would lose value if all alerts are transmitted through this medium. The manager console screen should not be the primary medium for alerts. This is owing to the fact the manager console screen would not be manned at all time, especially at night, on weekends and holidays. The email medium is not also very reliable and secure. This is because emails are usually not checked on a regular basis and they can only be effective if an email messenger system is employed. Furthermore, emails may be compromised as there are spam mail and malicious codes that may be embedded in the emails. Section III: Preliminary Threat Analysis The biggest threat to the company’s information security is the leakage of information to a user other than those allowed within the database, i.e. tenants and building managers. This is by far one of the most considerable threats as the main purpose of this plan is to ensure information integrity. There is also the threat if a tenant gaining access to an account with admin privilege, allowing them edit, update or delete information that is otherwise sensitive. There is also the present threat of accidental entry and update errors. These can be committed by any given user but can be mitigated by the use of the carefully stored views and procedures. Role Building Managers Threat Description SELECT Could see information not pertaining to the building they manage INSERT Insert errors in tenant and manager UPDATE Update errors in tenant and manager DELETE Role Tenants Threat Description SELECT Could see information not pertaining to their apartment or residence INSERT Insert errors in tenant information UPDATE Update errors in tenant information DELETE Section IV: Disaster Management Plan A firm is trying to decide whether to place its backup centre in the same city or in a distant city. List the pros and cons of each choice. It is usually advisable that a disaster backup site be placed in a different geographical from the original site. The following advantages are associated with having both sites in the same city include: There would be shorter long haul distances between the two sites. This translates to cheaper costs for the dedicated bandwidth required for CDP-type backup. There would be a much shorter distance for IT personnel to travel to get cold or hot backup site functional in shortest amount of time The disadvantages associated with having both sites in the same city include: In the event of a major environmental disaster, both the primary and the backup sites would be affected, possibly even taken out. In the event of such an occurrence, the safety of travel for the personnel is guaranteed due to possibly dangerous environmental conditions. The advantages associated with having the sites in different geographical sites include: The chances that an environmental disaster occurs at both primary and secondary site simultaneously is hopefully very slim. The disadvantages associated with having the sites in different geographical locations include: There is reduced visibility on environments at hot or cold site in the event of a disaster at primary site. This may make switching to backup site take much longer There are much higher costs associated with transferring material (computers and backup tapes), data (CDP) and personnel to backup site. It may be increasingly difficult to the skilled personnel from the primary site to backup location quickly to facilitate cutover. Section V: Data View USE [Master] GO CREATE DATABASE [LEASE] ON PRIMARY (NAME = NLease, FILENAME = N\\FSA\SQLDB\lease.mdf’,   SIZE = 4GB, MAXSIZE = 10GB, FILEGROWTH = 2GB) LOG ON (NAME = NLease_log, FILENAME = N\\FSA\SQLDB\lease_log.ldf’,   SIZE = 2GB, MAXSIZE = 3GB, FILEGROWTH = 10%) GO CREATE TABLE dbo. Tenant Lease Agreement ( TenantLeaseKey CHAR (10), Primary Key, LeaseStartDate DATE, Not Null, LeaseEndDate DATE, Not Null, Deposit DECIMAL (15, 2), RentAmount DECIMAL (15, 2), LateFees DECIMAL (15, 2), ApartmentKey CHAR (15), Foreign Key, TenantKey CHAR (20), Foreign Key, ); CREATE TABLE dbo. Building ( BuildingKey CHAR (10), Primary Key, BuildingName CHAR (30), Not Null BuldingAddress CHAR (30), Not Null ); CREATE TABLE dbo. Manager ( ManagerKey CHAR (10), Primary Key ManagerLastName CHAR (50), Not Null ManagerFirstName CHAR (50), Not Null BuildingKey CHAR (10), Foreign Key ); CREATE TABLE dbo. Tenant ( TenantKey CHAR (20), Primary Key TenantLastName CHAR (50), TenantFirstName CHAR (50), TenantEmail_Address CHAR (30), TenantPhoneNumber NUMERIC (20), ); CREATE TABLE dbo.Rent Revenue ( RentRevenueKey CHAR 10), Primary Key RentAmount DECIMAL (15, 2), RentDueDate DATE, LateFeeAmount DECIMAL (15, 2), TenantLeaseKey CHAR (30), Foreign Key ); CREATE TABLE dbo. Apartment Maintenance ( ApartmentMaintenanceKey CHAR (10), Primary Key RequestDate DATE, MaintenanceType CHAR (30), Resolution CHAR (30), Resolution Date DATE, ApartmentKey CHAR (30), Foreign Key ); CREATE TABLE dbo. Expense Type ( ExpenseTypeKey CHAR (30), Primary Key Repair CHAR (50), Maintenance CHAR (50), Utilities CHAR (50), Apartment Cleaning CHAR (50), Insurance CHAR (50), ); CREATE TABLE dbo. Expenses ( ExpenseCostKey CHAR (30), Primary Key CostAmount DECIMAL (15, 2), ApartmentMaintenanceKey CHAR (30), Foreign Key ExpenseTypeKey CHAR (30), Foreign Key ); References Chavas, J. -P. (2004). Risk analysis in theory and practice. Amsterdam: Elsevier Butterworth-Heinimann. Information Systems Security Association. (1992). Information systems security. Boston: Auerbach Publications. National Institute of Standards and Technology (U.S.). (1994). Information systems security. Washington: The Institute. Peltier, T. R. (2001). Information security risk analysis. Boca Raton: Auerbach. Read More