Activities of System Security - Example

Name: Institution: Course: Tutor: Date: Activities of system security Activity 1a Nowadays technology is the key facilitator in achieving organizational success. Most organizations use the computer based system instead of the manual ones since they are more efficient and effective. Though considered effective and efficient, the computer based system cannot run alone, there has to be integration with the information systems (IT). There are problems posed by new technology from time to time making the existing one completely obsolete. Therefore, the need to upgrade the networks, security systems, hardware’s and software’s has to be met. However, the key issue here is the security of the system and it integrates the communication networks, software and hardware’s. The reason why network security calls for attention in most organizations is because it is lacking or it is poorly managed. This jeopardizes the performance of an organization therefore it is vital to make network security management one of the key strategic issues to be met. Activity 1b Target organization The Transcorp Company recently received many complaints from the full-time postgraduate students (FTPS) from the school of computer science regarding the quality of the current systems and other problems they are encountering. Some of the complaints include the speed of the current systems, susceptibility of the systems to viruses and the systems irregularity. The FTPS also complain on resource wastage such as misuse of finances and inefficient utilization of equipments. To achieve the objective, the school has appointed a company called solutions systems to carry out the plan. Activity 1c Solutions system is going to analyze the existing system before coming up with options or alternatives. Solutions systems have a number of solutions to each problem and during the analysis, it will help minimize the cost and even dispose off some of current equipments. The company is confident that the investigation will provide alternatives that meet the needs of the FTPS. In carrying out the step by step process, solutions security will encounter some threats or risks. What needs to be protected? Students personal information Access identities Students passwords Network access points Corruption of files by viruses Activity 2a Basic Attack Tools In upgrading the LAN network and establishment of the remote access facility for the Transcorp a lot of dangers and security considerations will be considered. The reason why attackers enter the systems may either be for personal benefit or revenge purposes. For instance, one may illegally access information from somebody elses;s database to win a competition. In this scenario the main and fundamental security breaches and attacks that come into scenario of the online adversaries are listed below: Spamming Phishing Identity Theft Flooding Activity 2b Difference between vulnerability and threat, and identify Vulnerability Vulnerability refers to the degree of susceptibility on software or the operating systems to faults, threat or attack. If the degree to which a system can get flaws is high, then it is said to be very vulnerable (Chris loza 2010). In most systems, there are software’s installed to reduce the degree of flaws in the operating systems. Threat A threat is an external activity or program that poses danger to the operating system. If the computer system is highly vulnerable then chances of getting a threat are high. An example of a threat is the computer virus and may display themselves in different forms (Chris Loza, 2010). Identify Identify refers to the individuality of a person. It helps in accessing the personal information of an individual in the internet with a lot of ease (Turban, Leidner, McLean, & Wetherbe, 2005). Activity 2c Terms of Contemporary Security Environment Protect, Detect and React Protect, detect and react are the three major aspects that used in the contemporary security environment. They are used especially in the network security management. The level to which these three aspects are used varies from one organization to another. In addition a lot of resources are to be injected in order to protect, detect and react any danger posed by a threat (Tpub, 2010). Protect means to take measures so as to prevent a threat. On the other hand, detect means determining whether there are any dangers in case a system is not working efficiently. Finally, react means taking possible action in case a threat is detected. Activity 2d Legislation for IT security environment The IT security environment is covered by several legislations established through an act of parliament. It is to the interest of the government to protect the information’s system environment to best interest of all individuals. Act IT security: Communications Act of 1934 updated 1996 Act For IT security Filed: Telecommunications Online Information Source: www.fcc.gov/Reports/1934new.pd Act IT security: Computer Fraud & Abuse Act (18 U.S.C. 1030) Act For IT security Filed: Threats to Computers Online Information Source: Online Information Source: www.usdoj.gov/criminal/cybercrime/1020_new.html Act IT security: Computer Security Act of1987 Act For IT security Filed: Federal Agency Information Security Online Information Source: www.cio.gov/documents/computer_security_act_Jan_1998.html Act IT security: Economic Espionage Act Act For IT security Filed: Trade Secrets Online Information Source: www.ncix.gov/pubs/online/eea_96.htm Act IT security: Electronic Communications Privacy Act of 1986 Act For IT security Filed: Cryptography Online Information Source: www.itpolicy.gsa.gov/itpolicy/5.pdf Act IT security: Federal Privacy Act of 1974 Act For IT security Filed: Privacy Online Information Source: www.usdoj.gov/foia/privstat.htm Act IT security: Gramm-Leach-Bliley Act of 1999 or Federal Services Modernization Act Act For IT security Filed: Banking Online Information Source: www.senate.gov/~banking/conf/ Act IT security: Health Insurance Portability & Accountability Act (HIPAA) Act For IT security Filed: Health Care privacy Online Information Source: www.hhs.gov/ocr/hipaa Act IT security: National Information Infrastructure Protection Act of 1996 Act For IT security Filed: Criminal Intent Online Information Source: http://policyworks.gov/policydocs/14.pdf Act IT security: U.S.A. Patriot Act of 2001 – H.R. 3162 Act For IT security Filed: Terrorism Online Information Source: http://thomas.loc.gov/cgi-bin/bdquery/z?d107 Activity 2e Standards for IT security environment ISO 17799 and is ISO/IEC 27001:2005(ISO27001) are the most commonly recognized standards in the IT environment. Both standards enhance the safety of systems information’s for all organizations. ISO 17799:2005 provides the guidelines and principles for implementation, maintenance and improvement of information’s security management in organizations’. It covers areas such as security policies, asset management, human resource and environmental security. Apart from protecting the information’s systems, ISO/IEC 27001:2005(ISO27001) helps enhance compliance with the relevant IT legislations. The standard also helps organizations reduce the costs of IT security management while increasing their returns effectively. Activity 3a Internal threat Damage The list below shows the aspects that may cause internal threat damage in an organization: Theft of personal information Theft of identity Leakage of information Hacking of data Privacy and accessibility problems Theft of passwords Activity 3b Essential aspects of organization Need Protecting The following are the organizational aspects that need protection in the IT environment: Organizational Data Customer information Security Files Business transactions Passwords Network Access Points Employee’s information Access Identities Activity 3c Current security environment within your organization The current security environment in the Transcorp is at a risk. This is evident in that there are many complains being received from the FTPS who use the computer lab. The computers are infested with virus and the network terminals are posed with security risks. The speed of the system is also another issue. All these problems call for solution and that is the reason why a deep analysis of the current system should be done. Activity 3d Barriers to security in the majority of modern organizations The following are the barriers to attainment of security systems by most organizations: Heavy costs which are unbearable Time limitations Lack of interest and awareness Lack of qualified staff to manage the systems Combating security in the majority of modern organizations Developing interest in systems security management Including security management in the organizational goals Implementing educational and training programs Laying down policies and procedures relating to systems security management Setting up an IT department to manage the security systems Activity 4a Attack Tree 1 Network Access Attack Tree 2 Client Access Attack Tree 3 Virus Attack Attack Tree 4 Illegal Access to Business Database Activity 4b Existing vulnerabilities The main existing vulnerabilities in the Trancorp are listed below: Students Information is less protected Existing passwords are prone to access by strangers Viruses have corrupted the email servers Activity 4c Existing threats to the project organization Leakage of students information Data hacking Illegal network Breaches Virus attacks Activity 4d Current risk analysis strategies In carry out any analysis in every organization, it is always vital to carry out risk analysis. The analysis aids in detection, prevention, recovery and mitigation of risks. Activity 4e Cost of loss versus the Cost of prevention and recovery The company believes that failure to look for solutions will lead to under-utilization of facilities and the manner in which they are maintained. The organization believes creation of new alternatives will increase the number of students in FTP program as a result of quality services. Therefore, it is better to incur the prevention and recovery costs. This is because these costs will only be incurred once but the benefits will be realized in the long-run. Activity 6a Advantages and disadvantages of threat prevention strategies They are as follows: Advantages of threat prevention strategies Increased data protection Increased user’s satisfaction as their needs are efficiently made Data transfer security Costs are minimized especially during data prevention Enhances achievement of organizational goals Increases the confidence of stakeholders Disadvantages of threat prevention strategies High Cost are likely to be incurred More Time Required Injection of extra resources Complex procedures involved Activity 6b Advantages and disadvantages of disaster prevention strategies Advantages of disaster prevention strategies operational safety is enhanced Increased users satisfaction Data backup plan are implemented Data loss is minimized Information safety is enhanced Disadvantages of disaster prevention strategies High cost are incurred Complex procedures Time limitations Activity 6c Disaster Recovery Plan for your organization The following are examples of Disaster Recovery plans that the Trancorp can use: Safety and security software installations Implementing backup plans Regular Password updates Installing antivirus software’s Activity 7a Relevance of the Management Continuum to security Something is relevant if it enhances decision making in an organization. Therefore, continuum to security management helps the management of the school in making decision relating to how best it can better its systems in the organization. Activity 7b What is a security resource? The following are the security resources that can be used by the school in its computer labs: data backup recovery systems data safety systems Antivirus systems Upgraded Operating systems Activity 7c Security Education and Training Requirements The company should create awareness to the staff and students on how well to manage systems security. This can only be made possible by educating and training them on regular basis to inform them on any changes that may occur from time to time. Activity 8a Relevance of planning theory to security planning Planning theory is relevant to the university as they will be able to know in advance how well they will allocate the resources. Apart from the security management, finances are important resources that should be well managed. Activity 8c Relevant principles for technical security planning, For the company we will establish a firm technical security planning, in this scenario principle checklist to be used for your projects’ organization is listed below: Establishing effective management for Passwords Protection Enabling better Access Control Management for network access Implementing a new more effective Network Access Management Deploying more better Physical Access Management arrangement Implementing a more enhanced Acceptable Use of business resource and areas Managing a better Wireless Networking Security Administration Deploying and installation Security Software (antivirus and firewall) Activity 9a Needs analysis for a new security regime The following new security regimes should be used by the company in upgrading its systems: Enhanced protection of the business network Management of security accounts Transaction protection Online data management operational support system Safe communication Proper backup mechanism International security standards management and fulfillment Activity 9b Relevant Statutory Requirements Statutory Requirements for the university are about the better information management that is handled and managed in a much better way to ensure quality services to the computer science students. Information management also requires accomplishing the suitable standards of the organizational security standards. All the users have the right to be protected according to the statutory requirement. Activity 9c Baseline Project Plan The base line plan is given below for the company Requirements Analysis Soft design Hard system design New system specification placement New system development approval New system development initiation Error control and standards management Quality assurance for new system User and Staff training Market support Going Live Performance analysis Activity 9d 9d Internal Stakeholders requirements for the security regime Business data communication Safety of data transfer Proper database Less complex business handling Network support Error handling Resource management Activity 9e External Stakeholders requirements for security regime Better security support Privacy of information Help and remote access Activity 11a Industry standards IEEE 802 standards 1 Activity 11b Security Products and Vendors Norton 360 Version 4.0 2 Activity 12a Operational security requirements An operational security requirement touches on the daily requirement of systems users. They include: protection of user accounts, safety of business data, user protection of accounts, smooth working, less breaches for of data hacking and no virus and data corruption. Activity 12b Acceptance criteria For the university the acceptance criterion highly depends on the students who use the lab. For instance, after the new system is analyzed and evaluated, then testing can be done on a number of staff and if they accept the new system, then it is assumed that all the staff are comfortable. Activity 13a Inputs into the security strategy Business review Security analysis reports Business system specification Data samples Improvement specification reports Activity 13b Broad objectives and guidelines for the security strategy Business data protection User Security Management Staff Security Management Implementing Physical Security Enhancing business working standards Legal tasks management data protection Activity 14d User and Data Security Hierarchies students Data Staff Data organizational Management Data operational data Business transactions Activity 16b Control mechanisms Control is part of security systems management and it entails monitoring how well projects and operations within the organization are being handled from the planning stage till completion. Activity 17b New Procedures for Controlling Security Provisions Implementing network firewall Installing new security updates Passwords upgrades Secure access control Network data servers for backups Activity 18b Implementation options for implementation strategy There are several strategies that can be used for implementation of the new system. The change can either be done in phases or by running the two systems simultaneously. For the school, it would be better to run the two systems together and if the new system is approved by a large population, full implementation is done. Activity 19a Relevance of Control Principles relevant to security planning Control is monitoring while planning entails knowing in advance the systems security management requirements. The security policy management and implement involves the control principle and security planning. Here both are having relevance in case of fulfillment of all security standards and completion of project within limits of time and cost. Activity 21b Constraints in implementing technology solutions The constraints that face implementation of new technology are time and cost constraints. The implementation process is a bit complex so it involves a lot of time. As for the cost, qualified people have to be outsourced to carry on the process successfully. Activity 22a Existing requirements for new Protection Technologies User Data scanning User transaction protection User account protection data preservation data protection Routine scan Data backups Firewall protection Antivirus upgrades Activity 23a Existing requirements for new Detection Technologies Scanning all incoming traffic Identifying any suspicious entry Nominating suspicious entry Inquiring suspicious entry Declaring threat Reporting system administrator Requesting for response and action Activity 24a New Response Mechanisms for project organization We can have following ways and means for the project organization response: Through email Through online notification Through message Through Fax Through analysis report Through periodic meeting Activity 29c Comment on the Learning Unit The report covered the analysis of an existing system to find out what needs to be changed and what needs to remain. It also touches deeply on systems security concerns such as data protection, security threats, vulnerability and relevant legislations concerning systems security management. The topic has offered an opportunity to the university to know the importance of regular analysis and evaluation of the existing systems from time to time as new technology comes in. I believe that the new system meet the requirement of the school especially the computer science FTPS. It is recommendable for the school dean to ensure that control processes continue even after the new system is implemented. Bibliography Chris Loza. (2010). Difference Between Threat & Vulnerability. Retrieved 11 28, 2010, from http://www.ehow.com/about_6662790_difference-between-threat-vulnerability.html itgovernance. (2010). ISO27001 Information Security Standards. Retrieved 11 28, 2010, from http://www.itgovernance.co.uk/iso27001.aspx macassistant. (2010). ISO17799 Made Easy. Retrieved 11 24, 2010, from http://17799.macassistant.com/ Ray, R. (2004). Technology Solutions for Growing Businesses. New York: American Management Association (AMACOM). Tpub. (2010). Implementing Computer Security: Protect, Detect, React. Retrieved 11 26, 2010, from http://www.tpub.com/content/cg1997/ai97123t/ai97123t0007.htm Turban, E., Leidner, D., McLean, E., & Wetherbe, J. (2005). Information Technology for Management: Transforming Organizations in the Digital Economy . New York: Wiley. Read More