Centralized Information System - Report Example

Table of Contents Introduction and Background 2 2 Analysis of Problems 2 3 Plan for Addressing Security Concerns 4 4 Conclusion 7 5 Work Cited 8 Name of the Author Name of the Professor Course 14 December 2013 1 Introduction and Background There is a hypothetical organization named as ABC Corporation that is maintaining a server which is not properly configured. The employees have access to all types of data and each one of them possesses a separate email account. Project Managers access data related to their importance. The organization requires a centralized well maintained information system, a firewall to automate their business processes and to store data in a secure way. To protect data, security policies are required to be defined. Contingency planning is also an essential aspect which cannot be disregarded. As per Ramesh, V.C., and Xuan Li there are three dimensions of contingency planning “The first issue concerns the handling of multiple objectives; we discuss the benefits of using fuzzy logic for handling this issue. The second issue is the consideration of the economic cost of post-contingency corrective actions as well as the utility of discrete control actions that complicate the modeling and solution of the contingency planning problem. The last issue is the need for of advanced parallel computing techniques for addressing the real-time aspects of many contingency planning problems;” 2 Analysis of Problems ABC Corporation has twenty seven desktop workstations either connected with each other via a hub or a switch. The workstations are only workgroups as there is no domain and security policies applied in the organization except some users have Internet access and only the manager has a separate email account. There is no email server available to provide separate email addresses to employees. The separate email addresses enables instant correspondence between the subordinates, hence making the communication better and cost effective. Currently the employees are using telephone for coordination which is not cost effective. Some workstations are used to store data. There is no access policy defined for the data stored in the workstations. The data is vulnerable as anyone can access it or delete it. The server is used only for providing internet access and data transfer within the network. There is no firewall installed in the network, either hardware or software which makes the data, hardware, software defenseless. There is no connectivity between the regional offices and head office. The manager access the financial information from the head office using the computer network. The 5 regional offices have five databases which they are maintaining individually. Immense amount of time is wasted when head office sends a CD named “House types data” to each regional office. The administrator copies the files available on the CD to the locally maintained database. The data is updated because the project managers have to access the plans and building specifications of the houses the company builds. The data contains all the detailed information of the house construction material which is required. There is no backup of devices, data, workstations and server. If any workstation containing database crashes, the data will be lost. 2.1 Security Vulnerabilities The impact of the security breach issues is unpredictable. It can be diverted and involves human suffering as well as revenue loss for the organizations. One of the security breach took place on 21 October 2010, as per “www.networksecurityedge.com” The Philadelphia Inquirer states “Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan have notified 280,000 Medicaid members that their information may be at risk after a portable computer drive containing the names, addresses, and health information was lost. The last four digits of 801 members Social Security numbers were also stored on the hard drive”. This incident is related to theft of the hardware devices risking 280,000 Medicaid members. 2.1.1 Physical Security The organization does not have a Physical security defined. It involves the hardware, software, and network devices protection. There are no punch cards to access the server room. The room may contain the network devices and hardware devices. 2.1.2 Network Security There is no firewall and protection for the internal network of the organization as Internet is also connected to the network for some users. The organization is providing gateway to the intruders for breaching within the network. 2.1.3 Data Protection There is no data access strategy defined. None of the users are restricted to access any data within the organization. Every user logs in the system with the same user name and password making the data vulnerable to everyone. There is no procedure defined regarding the CD which comes from the head office to the regional offices. Data on the CD can be distorted effortlessly. 3 Plan for Addressing Security Concerns 3.1 Security The security of the organization can be made possible by installing IP surveillance cameras to identify any possible theft of any kind. The security can be divided into 3 categories: 3.1.1 Hardware Security Hardware security involves the security of the hardware devices of the workstations and the server. The workstation casings should be properly locked so that no one can try to unpack any hardware equipment from the workstation. The server should be in a separate room where only authorized personnel are given permission to enter. 3.1.2 Software and Data Security The employees will have a separate login username and password. The data access policies can be applied to that specific user in order to access the data as per the requirement. After logging with the personal username and password, the access list for each employee will be configured to only use the appropriate application as per the requirements of the organization for example CAD. Access of USB flash drives will be prohibited for the employees due to data protection and security concerns. 3.1.3 Network Security The organization requires a firewall to be installed. The regular updates are also compulsory in order to equip the firewall with latest security updates. The network of the organization is prevented by installing a firewall. There are two types of firewalls. 3.1.3.1 Device based firewall It is a hardware module which is separated and interacts with the Wide Area Network (WAN) interface. It filters the information as per the policies defined by the administrator before entering it into the local network. 3.1.3.2 Application based firewall It is a software package installed on the server. This type of firewall possess some disadvantages as the network can be easily vulnerable if the antivirus becomes unstable, stops working, corrupted, or any hardware failure occurs in the system on which it is installed. 3.2 Email Server A separate Email server is required to provide individual email address to all the employees. This will reduce the cost of the correspondence which is currently conducted on the telephone. It will also minimize communication gaps between the sub ordinates and at the same time improving the communication skills. It will also improve the effectiveness and performance of the organization. 3.3 Data Access Policy The Managers and Regional managers needs to access specific data. The database will be centrally maintained in the head office. Internet connection will be installed in each regional office in order to synchronized data between the head office and the regional offices. Full access will be given to the managers ID in order to access all the data available in the database. Limited access will be given to the regional managers in order to access the data as per the business requirements. 3.4 Network Security Configuration In order to provide separate usernames and passwords for logging in the system, a domain will be created on the server in order to provide security and usage policies for the users. Five new servers with firewall (which will act as a domain) will be added to the regional offices. The employees will access the data files from the head office to the regional office via File transfer Protocol (FTP). WAN will connect the database from the regional office to the head office. DSL (Digital Subscriber Line) will be used for the Internet connection. DSL connection works with a modem for transmitting and receiving data from the Internet. The configuration for Port forwarding activates the external access of the data for the Manager while at home. The IP address of the manager’s home Internet connection will identify the identity for authentication and granting access. The port forwarding option also enables the regional offices to access data from the head office eliminating the manual procedures. DSL modem will grant access to the Internet of any employee of the organization by providing the IP address of the workstation. 4 Conclusion The introduction of this report highlights the importance of centralized Information systems security. After the implementation of the new centralized system security, we have: The system will be protected centrally from intruders due to the Firewall installation The employees can communicate via their personal email address Database will be centrally maintained with a backup Data access will also be centralized for remote offices. Users can use personal user id and passwords for logging in the system. Data specific permissions are granted as per the business requirements. Separate server room, granting physical access to only authorized personnel staff 5 Work Cited Chan, Ivy, and Chao Chee-Kwong. "KNOWLEDGE MANAGEMENT IN SMALL AND MEDIUM-SIZED ENTERPRISES." Communications of the ACM 51.4 (2008): 83-88. Computers & Applied Sciences Complete. EBSCO. Web. 27 Oct. 2010. "Information System -- Britannica Online Encyclopedia." Encyclopedia - Britannica Online Encyclopedia. Web. 27 Oct. 2010. "Missing Hard Drive Puts 280,000 Medicaid Members at Risk." Network Security Edge. 21 Oct. 2010. Web. 27 Oct. 2010. . Paul, Ray J. "What an Information System Is, and Why Is It Important to Know This." Journal of Computing & Information Technology 18.2 (2010): 95-99. Computers & Applied Sciences Complete. EBSCO. Web. 27 Oct. 2010. Ramesh, V.C., and Xuan Li. "Strategies for improved contingency planning." Information & Systems Engineering 2.3/4 (1996): 183. Computers & Applied Sciences Complete. EBSCO. Web. 27 Oct. 2010. Read More