Enigma Security Services - Most Important Threats and Assets - Coursework Example

IT SECURITY By IT Security Introduction Enigma Security Services (ESS) appoints a security analyst. The Managing Director (MD) of CBC Corporation commissions ESS to analyse the security needs within the company, CBC Corporation. As such, ESS has to undertake a security analysis of the company, such as identifying the security threats, the causes of such threats, as well as come up with appropriate recommendations on the best way for the company to overcome these security threats. The Managing Director expects this report from ESS in order to rectify the security challenges that her company, CBC Corporation is facing. A sneak peek into the operations of the CBC Corporation provides that the company has over one thousand employees who are on full time employment. As such, the company admits 1000 persons into the company on a daily basis that can be a source of threat to the operations of the company, especially on its IT security systems. In addition, the company also has a vast array of Information Systems, which include about 600 UNIX workstations, 600 terminal emulators, 1000 PCs running Windows, 300 external client dial-in systems, as well as 100 hundred authorised at-home dial-in systems. Of the 1000 members of staff, 160 of them are full-time staff members of the Information technology department. This consists of about 16% of the company’s total workforce team. As such, it so appears that the company has to protect its assets, as well as sensitive information from theft of all kinds, be it leakage, internal operators of the company, as well as external perpetrators keen on acquiring illegally the company’s assets and information. Therefore, the work cut out for ESS is to evaluate the state of security at the company and suggest possible solutions to the arising threats. Part One: Most Important Threats and Assets The company may end up losing its assets as well as critical information to thieves, or leaking out confidential information to the wrong hands because of its poor security network. An overview of the company’s security system provides that it is tantamount to a number of threats, both external as well as internal owing to the inappropriate security measures put in place by the management of the company. The following provides some of the most important threats that the company needs to attend to immediately. It also categorizes the physical assets that the company needs to put security for against thieves. The main assets of the company include 600 UNIX workstations, 600 terminal emulators, 1000 PCs running Windows, 300 external client dial-in systems, as well as 100 hundred authorised at-home dial-in systems. These comprise the physical assets of the company need physical security to secure from any form of threat or risks, such as theft. In addition, the company also needs to protect its important information and data stored in its computer systems and data warehouse. As such, it also requires to set up computerised security to bar unauthorised access from anyone without express permission to access such information. Therefore, the threats of the company include the physical threats, as well as the computer-aided threats, such as internet hacking, data theft, or alterations of data. This security threat is the worst for the company so far considering that it deals in information security as its main line of business. Part Two: Existing Controls in Place The company has several controls in place to protect its assets from both physical threats, as well as information threat. As for the physical protection, the company has an outside guard force under the directions of an internal staff member. These security forces comprise of a contract guard force that does not last for long at the company. However, these security guards do not provide adequate security as there exists a number of loopholes in their security protocols, such as the lack of physical security procedures and standard. Furthermore, the guards only concentrate on the perimeter security. The guards have a high turnover rate, which makes the security situation even the more vulnerable. Line managers are in charge of physical requirements within their own areas of administration, which brings about confusion within the entire organization. The budget provisions for physical security at the company are also minimal, thereby denying line managers the opportunity to reinforce their security personnel. The company also has a number of security measures placed to facilitate information security and protection. However, just as the physical security, this information security is also vulnerable from both internal, as well as external threats of the company. For instance, the company uses UNIX machines to connect to the server. As such, it needs a security system that bars unauthorised persons from accessing the server. However, the company only has a minimal notice that warns unauthorised personnel from accessing the server on the login screen. It also uses the ordinary remote logins for one to proceed as plain text transactions that contain a user ID and password. The company access the internet through UNIX based computer systems. The systems allow for bi-directional computer mails, File transfer protocol, and telnet terminal access to other internet sites. However, the company does not provide any additional security to protect its PCs operating on Novell Netware networks. It uses a number of anti-viruses to protect its systems from virus attacks. These include Norton anti-virus, Norton Encryption, as well as McAfee anti-virus, most of which do not have uniform updates thereby putting the systems at risk of a virus threat. Therefore, this slows down the systems owing to possible virus infections and attacks. Another information security measure in place at the company is the monthly reboot of the servers that forces its users to re-authenticate their authority to access the information. On the other hand, the company uses a commercial database product to protect the computer server data. However, this too fails in providing adequate security and protection as required by the system thereby not very dependable by the staff members of the company. In addition, the company uses a special language to write applications whereby the IT staff responsible for developing these applications performs several ad hoc tests for program alterations. Part Three: Suitable Countermeasures for Protection of the Assets The company has security measures in place. However, these security measures are quite vulnerable and put the company at risk from both physical threats, as well as information threats. As such, the company might easily lose its assets to thieves who break into the company facilities to make away with the computers, servers, as well as other paraphernalia. On the other hand, company stands a grave risk of losing its confidential information to unauthorised personnel. This is majorly due to the number of loopholes that exist in the information security setting of the company. As such, the following analysis provides some of the suitable countermeasures for protecting the assets of the company, physically. The first step to maximise physical security of the company assets is to centralize the security system at the organization. As such, this requires the immediate abolishment of assigning security duties to the line managers, and setting up an independent department that specializes in the provision of adequate security for the company. This will also reduce the high rate of security staff turnover since their needs and satisfaction will be well attended to. Part of the possible strategies that the company can implement in motivating its guards force to eliminate high workers turnover is to employ them on permanent basis rather than on contract basis as it is currently the case. In addition, the company needs to increase the budget it assigns to the security of the company assets to facilitate appropriate management of the security docket at the organization. The next step to beef up physical security is to define and write down the physical security procedures and standards for the organization. This provides a guideline against which the security officials will undertake their duties and responsibilities at the company. These may include emphasizing the value of information to the guard force, so that they be concerned with both physical and information security. In addition, this will enable them boost their security at the company and stop concentrating on the perimeter of the company but also consider checking the interior for any physical and information threats. The company also has to set up measures to restrict entrance of unauthorised personnel from accessing the company’s assets. This can be through enhancing coded entry pad access and keep the entry codes strictly within the security docket. The security personnel should scrutinize every visitor to the company, as well as restrict these visitors from accessing both physical assets as well as information assets for the company, and keep guard of the company on a 24/7 basis to facilitate maximum security at the organization. Finally, the personnel department needs to liaise with the security department and communicate effectively over the termination of employees at the organization. This in turn will ensure that ex-employees do not have any more privileges and authority to freely access the organization’s assets as soon as they quit the company. On the other hand, the company also needs to beef up its information security to ensure that no unauthorised personnel access it easily. This starts from developing a comprehensive and well-defined corporate information policy. This policy will ensure that the employees undertake a high level of integrity and honesty, and as such, eliminate any internal threats on information security from the employees of the company. In addition, the company needs to undertake appropriate training and awareness programmes for information protection to all employees of the company. This in turn will ensure that the employees of the company also know what to do in order to protect information at the company, as well as ensuring that the physical security guards carryout their duties proficiently. The company also needs to undertake periodic internal audits for all members of the organization, and not simply limit it to the top-level managers of the IT department. This audit should extent to the entire organization in order to enable the company discover much earlier of any loopholes within the organization. The company needs to stop using external consultants to manage its information technology work as this leads to breach of information to the outsiders, as these consultants do not have any allegiance to the company, especially on secrecy provisions. On the contrary, it should set up its own internal team that would specialise with dealing strictly on its information technology works. The company has poor password protection that authenticates people before they can access the server and other information within the company’s systems. As such, the company needs to set a strict and secure password protection protocol that ensures only the right persons get access to the information of the company. The company’s systems and servers are obviously prone to internet and malware attacks considering the fact that it uses the internet to undertake some of its activities, such as sending emails and sharing documents. As such, the company needs strong anti-virus software to protect its systems from virus infection from the internet, as well as ensure that the anti-virus programmes are always up-to-date. This will reduce the current rate of virus infection at the organization which is very high, and as such, quite risky for the company’s information. These viruses infect the LAN (Local Area Networks) once in every week. This may lead to the company losing very sensitive information from its systems due to a virus attack. Part Four: Develop a Security Policy The company needs to develop a strict security policy that ensures adequate protection of both physical assets, as well as information of the company. This security policy will ensure the company has adequate physical security, as well as information security. The first step is to define an internal security policy of the organization is coming up with a policy on integrity and accountability of all employees and visitors of the company. This will lay the foundation for establishing an effective security policy for the company. As for the physical security, the company should set a policy that bars all persons from accessing the company’s premises without due clearance and permission from the security team. As such, all workers will need to identify themselves at the entrance of the company whenever they leave or enter the company premises before getting clearance to enter or leave the organization. Visitors too will need express clearance from the security officials before entering the company. These check-ups ensure that no unauthorised personnel gets near the company’s assets and information. On the other hand, the information security requires that the company staff to have valid personal login passwords and user ID before they can access the company’s systems. Those who do not have valid authentication codes will not access any part of company information. This policy of restricting unwanted or unauthorised people from accessing the sensitive assets and information of the company will be instrumental in maintaining the security of the company. The company can also set up surveillance systems operated by the security teams in order to observe the activities that take place within the company, and as such, discover a security threat earlier. Part Five: Legal Issues to Consider The processes of setting up security policies for the company must be in line with the legal provisions, as well as uphold the rights, freedom, and privileges of the staff at the company. A policy that contravenes the legal provisions on other aspects may lead to negative results as opposed to the help that they are to bring to the company. For instance, the surveillance, both physically and online through system administrators should not poke into the privacy of the employees. The company should undertake appropriate surveillance measures but still maintain the integrity and freedom of its workers. This is because prying into the privacy of each worker is contrary to the bill of rights, and as such, the organization may end up facing serious lawsuits from its workers, as well as visitors to the organization. Another key legal issue to consider in setting up these policies is the welfare of the workers and visitors to the organization during working hours, as well as during off peak hours. Sometimes the company may get too cautious over the state of the security at the company, especially in the wake of the recent theft of laptops and other assets at its premises, that it may decide to beef up security to an extent that it suffocates the workers. In this regard, the level of security of the organization is too high that the workers rarely get some breathing space from security cameras, security guards, internet security, as well as other checks and balances placed strategically to ensure appropriate security within the organization. As such, the productivity of the workers ends up diminishing rather than improving as the security system tampers with their welfare and freedom at the organization. Therefore, the company needs to set up a security policy that operates efficiently with the workers. The workers need to see and feel the security, but this should not block or deter them from exercising their duties and responsibilities at the organization. Part Six: Justifications for the Recommendations The setting up of tight security measures, both internal and external, ensures adequate security measures for both physical threats, as well as information threats for the company. People are the ones who steal, change, or manipulate information for their own selfish needs. As such, ensuring that only the right persons get access to either the assets or the information of the company is the best way to ensure maximum security for the company. Therefore, it would be appropriate for the security team to have the access codes to the entry points at the company, whereby the security manager in charge has to change them on a daily basis and give them to only the guards on duty at each station. This will also hamper any possible leakages of such sensitive information to unwanted persons, thereby enhancing security at the organization. As mentioned above, security is just an aspect to ensure that the assets and sensitive information of the company is safe and does not fall into the wrong hands. As such, the security provisions at the organization should not be in any way affecting the productivity of the organization, especially through compromising the privacy of the workers. Furthermore, these security installations should not suffocate the workers in such a way that they feel the organization has no trust and confidence in them. This makes the workers lose their morale, and as such, increases the company’s rate of workers turnover considering the soaring levels of workers dissatisfaction at the organization. This in turn hampers the productivity and output of the company, which was the main target when setting up such security installations. In addition, the system security protecting the sensitive information of the organization should not be too tight as to slow down the processing of such information. Part Seven: How to Conduct Security Awareness, Training and Education Conducting security awareness, training and education is instrumental in developing security conscious personnel that will easily identify security breaches and report to the relevant authority before the company starts counting losses. This training should be a continuous process from the day a new employee joins the company, starting from the basic security provisions, to the more complex ones depending on the levels and position that they end up holding within the organization. This will also help in categorizing those who have the authority to access certain parts of the company physically, such as the server room, as well as those who are to have access codes to certain files and information in the company servers, such as access to financial information of the company. The company should set up procedures of undertaking both group, as well as individual training of the workers at the organization to enable them be at par with the security measures at the institution. Furthermore, the company needs to stick visible signs, warnings, and directions, especially for visitors to the organization, or those trying to access its servers unlawfully. These signs and warning will detract them from proceeding, especially in the event they do this unknowingly. For instance, putting an entrance at the door to the IT Department stating “No entrance for Unauthorised Personnel” would deter other workers, as well as visitors to the organization from meandering into such sensitive areas. Setting similar warnings and bar codes within the system security also ensures adequate protection of information. Reference List Christopher King. “Extranet Access Control Issues,” in Harold F. Tipton and Micki Krause, ed., Information Security Management Handbook. Vol. 2, 4th ed., New York: Auerbach, 2000, pp. 99-114. Defense Authorization Act (Fiscal Year 2001). Public Law 106-398, Title X, Subtitle G. Government Information Security Reform. October 30, 2000. Department of Health and Human Services. Automated Information Systems Security Program Handbook. Http://irm.cit.nih.gov/policy/aissp.html “Federal Reserve: Sound Practices Guidance on Information Security.” Computer Security Journal, Vol. XIV, No.1, 1998, pp. 45-68. Herold, Rebecca and Slemo Warigon. “Extranet Audit and Security.” Computer Security Journal, Vol. XIV, No. 1, 1998, pp. 35-44. Gartnergroup. “Extranet Security: Five Ways to Manage High-Stakes Risk.” Research Note, July 21, 1997. National Institute of Standards and Technology. Federal Information Processing Standards (FIPS) 186-2, Digital Signature Standard (DSS). January 2000. Norman E. Smith. “The Next Great Networking Frontier.” September 27, 1999. Http://webdeveloper.earthweb.com/webecom/article/0,,11985_616141,00.html Office of Management and Budget (OMB). Circular A-130, Management of Federal Information Resources, Security of Federal Automated Information Resources, Appendix III. November 2000. Solutionary. “How to Protect Information: A Comprehensive Guide to Securing Networks and Systems.” 2001. Www.solutionary.com U.S. Customs Service. “Interconnection Security Agreements.” August 25, 2000. Www.bsp.gsa.gov/list.cfm Read More