Information Security

Information Security

This Key Assignment (KA) template will be the basis for a Security Management Document. Although an actual plan is not feasible, each week will constitute portions of an overall Security Management Document that could be implemented.

Throughout this course, you will be working with a scenario in which some basic background information is provided about a consulting firm. This scenario and information is typical in many companies today. You are tasked to select a company that you are familiar with that is facing a similar situation. Please use a company that is based in the United States. The company can be real or fictitious, but the framework and problems that it faces should be similar. The assignments that you complete each week are based on the problems and potential solutions that similar companies may face. The end goal for these assignments is to analyze the problems that the company faces with respect to the upcoming audit, and provide guidance on how it can provide security for its infrastructure.

The case study shows a company that is growing, and its security posture needs to be updated based on this growth. Based on the recent initial public offering (IPO), the company has new regulatory requirements that it must meet. To meet these requirements, a review of the current security must be conducted. This provides a chance to review the current security mechanisms and analyze the threats that the company could face. In addition, the company needs to expand its current network infrastructure to allow employees to work more efficiently, but in a secure environment. What problems does the company currently face, and how does the expansion pose new threats?

Choose and describe the company that you will use in the scenario. Describe the need for information security, what potential issues and issues risks exist, and what benefits the company can gain from the new project. Describe what new challenges exist with the new project to allow consultants to work on-site. What challenges now apply to the company with respect to the recent IPO?

Please use this template to complete week one assignment. The template document should follow this format:

Security Management Document shell
Use Word
Title page
Course number and name
Project name
Your name
Date
Table of Contents (TOC)
Use an autogenerated TOC.
This should be on a separate page.
This should be a maximum of 3 levels deep.
Be sure to update the fields of the TOC so that it is up-to-date before submitting your project.
Section Headings (create each heading on a new page with “TBD” as content, except for Week 1)
Week 1: Introduction to Information Security
This section will describe the organization and establish the security model that it will use.
Week 2: Security Assessment
This section will focus on risks that are faced by organizations and how to deal with or safeguard against them.
Week 3: Access Controls and Security Mechanisms
This section examines how to control access and implement sound security controls to ensure restricted access to data.
Week 4: Security Policies, Procedures, and Regulatory Compliance
This section will focus on the protection of data and regulatory requirements that the company needs to implement.
Week 5: Network Security
This section combines all of the previous sections and gives the opportunity to examine the security mechanisms that are needed at the network level.
Create the following section for Week 1:

Week 1: Introduction to Information Security
Choose and describe the company that you will use in this scenario.
Describe the need for information security, what potential risks or issues exist, and what benefits the company can gain from the new project.
Describe what new challenges exist with the new project to allow consultants to work on-site.
What challenges now apply to the company with the recent IPO taking place?
Section 1 should be 2–3 pages long.
Name the document “CS651_FirstnameLastname_IP1.doc.”
Worked Example

REAL-TIME INTEGRATION SYSTEMS
Computer Systems
Security Foundations
Week 1: Introduction to Information Security
<name>
[Pick the date]
This document contains information and typical analyses that Real-Time Integration Systems must
conduct to ensure compliance with recent initial public offering (IPO) requirements and to ensure the
security of the company infrastructure. In addition to ensuring compliance to the Sarbanes-Oxley
requirements, the company is also considering expanding the network infrastructure to allow employee
flexibility (yet sound security) in the area of network connectivity through the introduction of a wireless
network. The company will evaluate the risks and the current and future network infrastructure and
enterprise systems, as well as the access control policies currently in use. Within the analysis of the
technical review, Real-Time Integration Systems will ensure a proper security program is in place and
that policies and procedures are updated and accurate.Table of Contents
Project Outline and Requirements (Week 1)…………………………………………………………………………………… 1
Organization Description ………………………………………………………………………………………………………….. 1
Project Requirements ………………………………………………………………………………………………………………. 1
Introduction to Information Security (Week 1) ……………………………………………………………………………….. 3
The Need for Information Security …………………………………………………………………………………………….. 3
Potential Issues and Risks for Wi-Fi Environments……………………………………………………………………….. 3
Security Challenges of Allowing Consultants to Work On-Site……………………………………………………….. 3
A Review of the Sarbanes-Oxley Requirements …………………………………………………………………………… 3
Security Assessment (Week 2 TBD) ……………………………………………………………………………………………….. 4
Access Controls and Security Mechanisms (Week 3 TBD)…………………………………………………………………. 5
Software and Database Security (Week 4 TBD)……………………………………………………………………………….. 6
Network Security (Week 5 TBD) ……………………………………………………………………………………………………. 7
References …………………………………………………………………………………………………………………………………. 8Computer Systems Security Foundations
Organization Consultants Page 1
Project Outline and Requirements (Week 1)
Organization Description
Real-Time Integration Systems is a publicly traded company based in San Jose, California that offers
customized solutions to customers and clients. The main focus for Real-Time is the creation of solutions
based on integrating the various systems that are used in the customers’ offices so that they can have a
single management interface for all systems and applications. Real-Time has 100 employees. About one
third is internal company-based support, and two thirds of the employee base is consulting staff working
on the customized solutions. The company recently underwent an IPO, and as such, now has additional
regulatory requirements that it must meet. Talking with the company’s chief information officer (CIO)
and chief financial officer (CFO), they admit that the recent IPO has added additional pressures for their
company. They now must meet additional regulatory requirements.
The consulting staff typically meets with the customer to gather the system requirements and then
returns home to the Real-Time facilities to create the integration solutions. A major problem that the
consultants face is network resources. The office spaces that are allocated to the consulting team offer
cubicles with limited network access. The consultants need a more flexible solution for connecting to
the Real-Time network. Real-Time wants to implement a secure solution that ensures the privacy of the
communications and company data as well as giving the consultants the flexibility to connect to the
network and move around and interact and conference with other consultants.
Project Requirements
As Real-Time starts the project, the leaders realize that their current infrastructure is not as secure as
they thought. The original information technology (IT) staff was well-meaning, but at the time of the
start-up, they were not as security-conscious as companies are today. As a result, Real-Time wants to
ensure the overall security of the existing infrastructure and to isolate the new development
infrastructure as much as possible. To begin, the existing network architecture includes a demilitarized
zone (DMZ) for the company Web site, file transfer protocol (FTP), and mail servers. The company
Intranet is a flat network. All company resources and applications are on the same network with all staff
desktops. All company systems are internal (meaning that they outsource no solutions). All systems and
applications are housed in the San Jose corporate site in a converted conference room that is now a
dedicated data center.
Real-Time does have a concern over the customer systems and data that are brought into the San Jose
facility. The customer data and equipment need to be isolated from other customer environments. At
no point in time can the data from one customer be stored in the same environment as a different
customer. The CIO has made these requirements very clear to the staff. Customer data privacy and
security needs to be a top priority.
Proper resources have been allocated for the project, and several key goals have been set:• Evaluate the regulatory requirements based on the Sarbanes-Oxley Act, and ensure that
company security policies are sufficient to meet the requirements.
• Evaluate the security risks in the current environment.
• Evaluate the access control methods that are currently in use, and identify newly needed
controls.
• Evaluate the need for controls to better protect data both at rest and in motion.
• Develop or redesign a secure network solution.Introduction to Information Security (Week 1)
A review of the current infrastructure and security model is needed to ensure compliance with the new
Sarbanes-Oxley regulations. Management wants to understand how the regulation impacts the
information security posture of the Real-Time Integrations Systems environment. To do so, the following
areas need to be better understood by the organization:
• Describe the need for information security
• The potential issues and risks that exist and what benefits they can gain from the new wireless
fidelity (W-Fi) project
• Describe what new challenges exist with the new project to allow consultants to work on-site
• Describe the challenges that now apply to the company with the recent IPO taking place
The Need for Information Security
A review of the high level of information security should take place, and then a practical discussion
about what it means for organizations like Real-Time Integration Systems needs to take place.
Potential Issues and Risks for Wi-Fi Environments
A review of the technical security needs to take place. The focus should be on the extension of a
network through the use of wireless technologies.
Security Challenges of Allowing Consultants to Work On-Site
A review of the administrative security controls needs to take place. The focus should be on the policies
and personal requirements that need to be implemented
A Review of the Sarbanes-Oxley Requirements
Sarbanes-Oxley will now affect Real-Time, and there needs to be a discussion about the specific
provisions of the regulations that apply to the IT infrastructure.Security Assessment (Week 2 TBD)Access Controls and Security Mechanisms (Week 3 TBD)Software and Database Security (Week 4 TBD)Network Security (Week 5 TBD)References