The ISMS for Mr. Manos Llewellyn - Case Study Example

Contents Introduction 2 2 What is ISMS? 2 3 ISMS Scoping 4 4 Project Scope and Objectives 6 5 Mr. Manos Llewellyn Wired Network 7 6 Considerations and Recommendations for Mr. Manos Llewellyn Network 11 7 References 15 1 Introduction The computer network for Mr. Manos Llewellyn is not dispersed on a large scale, however the company wishes to provide web development and web services, enable and configure Secure Socket Layer, Domain hosting, Web Applications, develop E-Shops, develop Web Designs, incorporation of a software house, graphic designing, and digital viral marketing strategy. However, to support these services on the current network, several considerations are required in the following domains: Network Type i.e. client/server Network Technology i.e. size, speed, and scale requirements Network Cabling i.e. considering supported data rates and security Network Interfaces & Protocols Network Services Requirements Data and Network Security Requirements Network Performance Requirements Compatibility Requirements 2 What is ISMS? The ISMS for Mr. Manos Llewellyn should consist of Policies, Processes, Guidelines, Standards, and tools. Likewise, in order to make this system a successful for Mr. Manos Llewellyn, it contains five key elements. The first component is CONTROL. The control establishes a framework and distributes responsibilities in order to develop an environment for implementing the ISMS for Mr. Manos Llewellyn. The next key element is PLAN. The Plan defines the service level agreements as per business requirements, foundation of contracts, operational level agreements, and policy statements for Mr. Manos Llewellyn. All these components included in the planning are based on the requirements of the business. After the completion of control and plan, the next key element is to IMPLEMENT all these components. Implementation involves creating knowledge and consciousness along with categorization and listing of assets. Moreover, personnel security and physical security related to theft is implemented. Likewise, implementation element also involves security related to network, applications and computing devices. In addition, configuration and management of access rights and contingency planning of security incident processes is also a part of this element. All of the three elements control, plan and implement lays a foundation of a structure for Mr. Manos Llewellyn. After the deployment of ISMS structure, the next key element is EVALUATE. The evaluation consists of internal and external auditing of the processes that are implemented in the previous three phases. Moreover, self-assessment is also conducted, along with security incident evaluation. For instance, if there is a breach in security, the security management processes ensure to deal with security incidents. The last key element is MAINTAIN. This phase frequently monitors processes including security management, new threats, vulnerabilities and risks. These elements, do not only monitors these processes, but also improve processes where required , and if there are certain processes that needs to be improved for Mr. Manos Llewellyn, the ISMS cycle start from the first key element i.e. CONTROL. 3 ISMS Scoping A good definition of ISMS is defined as (Humphreys 2007) “An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system”. The goal is to protect the information for Mr. Manos Llewellyn, as well as its customers. The ISO/IEC has established two standards that emphasize of ISMS. The ISO/IEC 17799 is a code for information security management. It is the framework or a system that is based on certain processes, to ensure that organizations achieve their information security management objectives i.e. ISMS. The second standard is ISO/IEC 27001 is associated with several different factors including (Calder 2009): Implemented in the organization to originate security requirements and goals Implemented within the organization in such a manner that security risk management bears less cost Implemented within the organization for guaranteed deployment of compliance with laws and regulations Implement a process framework within the organization for deployment and management of controls in order to meet particular security objectives Defining new processes for information security management The scope for ISMS can be implemented on one or more than one department. The issues are clearly identified as there are no security baselines or security controls available that may lead to mismanagement of network, vulnerable data and assets along with vulnerable database security. Sensitive data is located at the sensitive data room. As per current scenario, the most critical data is residing in the sensitive data room and the server some. Hubs are used instead of switches, as switches are installed on the backend of some hubs. Sensitive traffic is routed to all departments of Mr. Manos Llewellyn. There are two Apache Servers running on Linux, Windows 2003 Server with active directory configured, two file servers, and one shared network printer, 1 backup server for backing up data on servers, one SAMBA server for making Windows and Linux environment understandable and one remote server. Figure A and B shows bad and a good scope for the given network. Figure A (ISMS Bad Scope) Figure B (Practical Scope) 4 Project Scope and Objectives Mr. Manos Llewellyn has decided to implement a new network. The network will use the latest technology in terms of both hardware and software. The implementation of software technology includes the 27001 ISMS consideration. The hardware and security technology implementation includes Cisco routers, firewalls, switches and ‘access points’. Mr. Manos Llewellyn has currently one branch and the long term future plan of the company is to provide services that are named as: 4.1 Web Services Web development SSL certificates Domain Hosting Web Applications E-Shops Web Design 4.2 Software House Software development Software testing Graphics Design Digital Viral Marketing Strategy 5 Mr. Manos Llewellyn Wired Network Before implementing the local area network for Mr. Manos Llewellyn, selection of appropriate computing and network devices is essential. The implementation review begins from the initial stage as there are not legacy networks available. 5.1 Network Topology Star topology is recommended for Mr. Manos Llewellyn computer network. It is the most widely adopted topology. The star topology supports the centralized provision of network resources and services. The support staff can manage the network administrative and troubleshooting tasks centrally. Star topology helps to implement centralized security architecture for improved and enhanced security of the network along with efficient utilization of network protocols, services and directory services. The network implementation cost can be saved by provisioning the core systems located centrally. The security controls and backup systems are also located centrally for better troubleshooting and management. Example of the star topology is available in Fig 1.1. 5.2 Network Cables For deploying the local network, CAT 5 cable is the best option. It supports both voice and data transmission. CAT-5 is in the form of twisted pairs. This cable consists of 4 copper wire pairs, connecting the network node with RJ 45 connectors.CAT-5 supports up to 100 to 1000 MHz speeds in a ‘full duplex’ mode (Category 5 Cable. 2007). The Mr. Manos Llewellyn network will corresponds to request related to internet applications, voice and video transmission, file transfer protocol and Emails. CAT 5 can support these features with ease. However, CAT 5 cable can support up to 300 feet equal to 100 meters in distance. A requirement of the switch is mandatory for every 300 feet. 5.3 Network Devices A router is a core computing and packet processing devices in the computer network. Router connects two or more networks with different subnets, enabling the networks to expand on an enterprise level. Logically the router builds a routing table, where it stores all the route addresses. For example, the data packet source and destination is stored in the routing table. The network administrator can statically define the network addresses which are called as ‘static routes’. The dynamic routing protocol is used for the automation of exchanging data packets with other routers in a network. The selection criterion of the router depends on the network requirements. The data transmission gauge, which is also called as the maximum transmission unit (MTU) is also considered for optimal network efficiency. Mr. Manos Llewellyn network is the main site to connect the remote sites. To support the current scenario, the router must support data and voice transmission, redundancy and security features for the Mr. Manos Llewellyn network. As the Primary site includes the core devices for the network to be operational and efficient, Cisco 3845 integrated service router will fulfill all the network requirements. 5.4 Considering Cloud Computing for Mr. Manos Llewellyn Public computing is a traditional approach where the resources are accessible on the Internet. Third party providers, known as the cloud vendors, organize the hosting for these resources on the Internet. The services and resources on this cloud are accessible to the public and groups of various industries (Bento, Aggarwal 2012). On the other hand, hybrid cloud comprises of a mixture of all types of clouds i.e. public, private and community. Most organizations deploy this type of cloud as it provides a range of options in the context of accessibility. By incorporating hybrid clouds, issues such as PCI compliance can be eliminated (Bento, Aggarwal 2012). 5.5 Cloud Computing Service Models Cloud computing consists of applications that are represented as a service on the web and the provision of hardware / software services provided by companies operating data centers. Likewise, the services provided over the Internet are referred as (Software as a Service) ‘SaaS’. There are few sellers who use the term (Infrastructure as a service) ‘IaaS’ and (Platform as a service) ‘PaaS’ in order to demonstrate their products and services. However, these terms are avoided and not accepted globally, due to variation (ARMBRUST, FOX et al. 2010). The Commerce Department’s National Institute of Standards and Technology (NIST) have illustrated some helpful definitions that focus on three concepts (Ryan 2010): Cloud infrastructure as a service ‘IaaS’ consists of provisioning elementary computing resources. Cloud software as a service ‘SaaS’ access software application that operates on a cloud infrastructure. Cloud platform as a service (PaaS) provides the accessibility to users for implementing and developing applications with programming language and tools supported by the providers. The core components of a cloud are consists of the data center hardware and software. When these resources are made available to the public, they are referred as public clouds and the service provided by the cloud is called as utility computing. Moreover, private clouds are only available to private organizations and are not accessible by public. Accordingly, cloud computing is the combination of ‘SaaS’ and utility computing (ARMBRUST, FOX et al. 2010). 6 Considerations and Recommendations for Mr. Manos Llewellyn Network As cloud-computing usage is increasing with its connectivity to the public through an Internet, new opportunities are also originating for hackers, cyber terrorists, viruses and worms. These threats will increase and focus on cloud computing enabled services and applications for stealing classified data, denial of service attacks on data centers etc. ‘Google apps’ is the major player in the market for providing ‘SaaS’, it was attacked and hacked. The report from cyber forensics indicated that the attacks were originated from China (Bisong, Rahman 2011). The security and privacy in cloud computing is associated with data storage and data protection. Moreover, monitoring the utilization of resources available on the cloud by the service providers is also included. In order to secure the data on the cloud, it can be stored internally in the organization’s premises. Moreover, the Sarbanes-Oxley Act (SOX) in the US and Data Protection directives along with the EU are only two compliances from many other compliance concerns related to data and application of cloud computing. Moreover, EU has backed up with a legislative data protection for the entire member across the globe. However, the US data protection differs from EU, as it varies in each state (PLI search results). Moreover, the service provides incorporates the highest level of security in the clouds by their inbound technical intelligence, but these measures are affected due to government regulations country by country. For instance, if a cloud computing service provides is located within a country, the service provider is bound to slipshod provisions on privacy that may lead the involvement of the government enforcement agencies to peek in the hosted data of a particular organization. The top rated issues are: {Security Issue No 1}: No data backup policy defined {Security Issue No 2}: No Disaster recovery plan defined {Security Issue No 3}: No Support for Server requiring 100% uptime {Security Issue No 4}: No IP surveillance for critical server {Security Issue No 5}: In sufficient security for LAN It is vital for Adventure Works to overcome these issues as soon as possible, as these vulnerabilities will directly affect the business operations of the organization. As there is no security policy defined currently for Mr. Manos Llewellyn, the new security policy will illustrate the implementation procedures of security controls that are identified by analyzing the current network and business practices. { Issue No 1}: As the organization is maintaining two file servers with a lot of backup storage are classified as critical and the organization may face loss of data or server crash that may result in halting the services. Mr. Manos Llewellyn is dependent on these servers, as these servers process most of the paperless work, creating a backup on a regular basis. Recommendation: In order to incorporate a mirror of these servers, disk-mirroring techniques using RAID is recommended. As RAID will synchronize the data on two servers simultaneously, if any one of the server stops responding, the other service will be triggered to ‘primary operation’ mode. {Issue No 2}: There is a possibility of an earthquake. The impact of earthquake may create disrupt the overall operation of an organization’s network, as well as loss of data. Recommendation: Relocating the instance of critical server data on a different location may be a better choice. In that case, if an earthquake affects Mr. Manos Llewellyn network seriously, the data can be extracted from the second location. {Issue No 3}: As the core servers of Mr. Manos Llewellyn are file server, backup server and SSH server, there is a requirement of making their availability 24/7. Moreover, an alternate connectivity is also required that may make them operational if the primary network access is not available due to some issues in a switch. Recommendation: In order to ensure stable power supply, a Power over Ethernet technology is recommended. A comprehensive definition is available in network dictionary, which states as “Power over Ethernet (PoE) technology describes any system to transmit electrical power, along with data, to remote devices over standard twisted-pair cables in an Ethernet network. This technology is useful for powering IP telephones, wireless LAN access points, webcams, Ethernet hubs, computers, and other appliances where it would be inconvenient or infeasible to supply power separately.” Moreover, the network engineer can rout a dedicated alternate network connection for making the server operational. {Issue No 4}: As the servers process most of the organization’s critical data, there is a requirement for protecting them from vulnerabilities and threats. One of the threats will be an unauthorized access to steal or delete critical data that reside on them. Recommendation: In order to prevent unauthorized access, Installation of IP surveillance cameras in the server room and critical data room are recommended. The surveillance system will monitor the presence of organization’s employees on these servers, as only authorized personnel will be allowed to access the system. {Issue No 5}: The current network scenario of Mr. Manos Llewellyn is lacking adequate security measures. Currently, there is no firewall for handling internal as well as external threats of the network. In order to handle threats and vulnerabilities, there is a requirement of a security appliance, which may monitor internal network for possible threats. Recommendation: Incorporating an Intrusion detection based system is recommended, as it will provide adequate security internally as well as from threats that may bypass firewall. Configuring VLAN may also be beneficial, as the network contains financial data from the critical department. VLAN will create dedicated channels of data transmission within each department and ensures security with encryption techniques. 7 References ARMBRUST, M., FOX, A., GRIFFITH, R., JOSEPH, A.D., KATZ, R., KONWINSKI, A., LEE, BENTO, A. and AGGARWAL, A.K., 2012. Cloud Computing Service and Deployment Models: Layers and Management. IGI Global. BISONG, A. and RAHMAN, S.M., 2011. An Overview of the Security Concerns in Enterprise Cloud Computing. International Journal of Network Security & Its Applications, 3(1), pp. 30-45. G., PATTERSON, D., CALDER, A., 2009. Implementing Information Security Based on ISO 27001/ISO 27002: A Management Guide. Bernan Assoc. HUMPHREYS, E., 2007. Implementing the ISO/IEC 27001 information security management system standard. Artech House. Power over Ethernet. 2007. Network Dictionary, , pp. 382-382. RABKIN, A., STOICA, I. and ZAHARIA, M., 2010. A View of Cloud Computing. Communications of the ACM, 53(4), pp. 50-58. RYAN, W.M., 2010. Insights into Cloud Computing. Intellectual Property & Technology Law Journal, 22(11), pp. 22-28. Read More