Network Security Management
Section Headings
Week 1: Introduction to Information Security
This section will describe the organization and establish the security model that it will use.
Week 2: Security Assessment
This section will focus on risks that are faced by organizations and how to deal with or safeguard against them.
Week 3: Access Controls and Security Mechanisms
This section examines how to control access and implement sound security controls to ensure restricted access to data.
Week 4: Security Policies, Procedures, and Regulatory Compliance
This section will focus on the protection of data and regulatory requirements that the company needs to implement.
Week 5: Network Security
This section combines all of the previous sections and gives the opportunity to examine the security mechanisms that are needed at the network level.
Include a Cover page, Outline, Abstract, and References pages
The case study company has expressed a desire to have a secure company-wide network infrastructure. Because the network has to revaluated from the beginning, the company wants to ensure that the new network has as many reasonable security controls and mechanisms in place. What solutions can you propose to support these initiatives? Create the following section for Week 5:
Week 5: Network Security
Propose an appropriate network infrastructure that offers sound security practices for the existing intranet and the new proposed expansion.
Create and describe a diagram of the network architecture, discussing how it can meet the goals of the company.
Describe the access controls and how the company can ensure that devices and topology are effective and working to protect the company infrastructure.
Review and describe the need for intrusion detection systems (IDS) and intrusion prevention systems (IPS).
Discuss how they can effectively be used in a network operations setting.
Ensure that there is an appropriate use of the IDS and IPS in the network diagram.
Section 5 should be 4–5 pages long (2–3 pages of network topology, 1–2 pages of IPS and IDS).
Name the document “CS651_FirstnameLastname_Final.doc.â€
As a final deliverable to the management team, create a Power Point presentation that summarizes the solutions outlined in the Key Assignment template. In addition, describe why the proposed solution is the correct method or mechanism to be implemented. Remember that the presentation is for the management team and should contain the appropriate level of detail.
Worked Example
Please refer to the following worked example of this assignment based on the problem-based learning (PBL) scenario. The worked example is not intended to be a complete example of the assignment, but it will illustrate the basic concepts that are required for completion of the assignment, and it can be used as a general guideline for your own project. Your assignment submission should be more detailed and specific, and it should reflect your own approach to the assignment rather than just following the same outline.
Sample Paper
Week 1: Introduction to Information Security
Company description
Digi-Best System Solutions is a small company based in Phoenix, Arizona that provides a broad range of customized products and services to its clients nationwide. The main goal of the company is to create solutions based on the integration of different systems that are utilized in the clients’ offices to enable them to have one management interface for all applications and systems. The company has employed roughly 150 employees. About two-thirds of the employee base engage in consultation work comprised of developing customized solutions while the rest served as the internal company-based support. Over the course of the past decade, Digi-Best System Solutions has experienced a steady growth. Recently, the company underwent an initial public offering (IPO), and thus it has extra regulatory requirements that it needs to meet. Talks with the chief financial officer (CFO) and chief information officer (CIO) have revealed that the recent developments have added pressure on the firm. They are required to meet additional regulatory standards.
Usually, the consultation staff meet with the client to gather the system requirements and return to the company’s offices to develop the integration solutions. Network resources are a big issue for the consultation staff. The consulting team’s workplace space is divided into cubicles with limited network connectivity. To connect to the Digi-Best System Solutions network, the consultants require a more flexible solution. Digi-Best System Solutions wishes to install a secure system that protects the privacy & confidentiality of communications and company data while also allowing consultation staff to connect to the network and move about while interacting and conferencing with other consultants.
Workplace Requirements
To achieve compliance with the 2002 Sarbanes-Oxley Act, an assessment of the existing infrastructure and security framework is required. Management needs to know how the regulation affects the information security posture of Digi-Best System Solutions environment. To accomplish this, the company must get a greater understanding of the need for information security, potential risks and benefits of Wi-Fi environments, new challenges arising from the new project and how this applies to the company especially with the recent IPO taking place.
Need for information security
Securing IT networks should be a key priority for every company. With Digi-Best System Solutions’ large consumer base, it’s critical to keep the company’s information out of the hands of hackers. Any data sent via the internet, for instance emails, consumer orders, or logistics, can be utilized to financially harm the organization. Cyber dangers are increasing on a day-to-day basis and come from all parts of the world. Today, the threat has no face and no boundaries, making it harder to track down and prosecute aggressors.
Another motive is to uphold government regulations and standards that have been put in place to ensure trust and reliability. Customer payment methods and accounts are critical data that must not be compromised. Customers will quit utilizing the organization as a vendor if the company’s security is breached. There will be no corporation if there are no clients, leaving a large number of people without a source of income.
Potential risks and vulnerabilities
All businesses face risks, and as the world’s reliance on data centres grows, so do the threats. Every organization transmits information, and keeping it secure is growing more difficult. Important data such as financials, customer information, and staff information, must be safeguarded. The company currently has a number of hazards and vulnerabilities that must be addressed. A lax update and patching policy, passwords strength and complexity, and clear text password transmission are some of the existing hazards and vulnerabilities within the firm. Other flaws arise as a result of user adherence to the current security policy.
As the first stage on physical devices, user compliance is a significant vulnerability. Walking away from a workstation without locking or logging off has become a bad habit throughout the organization. This opens the door for someone with a lower degree of privilege to access the other user’s credentials and inflict network damage or data theft.
Benefits from Information Security
The greatest benefit of increased network security is the reduction in network downtime. There’s a chance the company’s network will go down every member of staff should be informed of the dangers that may exist and their impact on the company’s network and clients. Inventing and implementing a more stringent password policy will reduce the risk of a hacker using a brute force attack. By implementing the lockout or logoff policy, the risk of an unauthorized persons getting access and stealing information is reduced.
Expected challenges
Every endeavour in a business has its own set of difficulties and risks. Hiring an outside security firm to evaluate the company’s IT networks and operations will come with its own set of issues. Because this is new territory, the organization must adapt to the security company’s audit methodology, which may include onsite testing or external penetration testing, requiring the company to hand over user credentials. During the course of their engagement, the auditors will have access to the whole network.
The auditors will be given more resources to work with. Any urgent questions will be answered by a company liaison from the IT department. The liaison will also serve as a link between the auditors and the IT department, ensuring that proper communication is maintained. This will ensure that neither the auditors nor the IT department faces any genuine obstacles.
Challenges from IPO
When a company goes public, new obstacles arise that can jeopardize the company’s reputation. The impact on IT can be reduced by implementing new policies and improving security posture. Maintaining a stable network to avoid new attackers’ breaches will be critical to the success of the company. Digi-Best System Solutions will be targeted as a result of the increased exposure from the IPO, and any weakness will be exploited. The challenges will be ensuring that all information security requirements are not only met but even exceeded while minimizing the impact on daily processes. To establish a strong IT infrastructure, an increase in security checks will be necessary. Additionally, the company will now be impacted by Sarbanes-Oxley Act, and there will need to be a conversation about the precise aspects of the legislation that relate to IT infrastructure.
Security Assessment (Week 2)
It is important to have an understanding of the company’s environment in order to ensure and sustain security. This comprises of identifying assets, classifying data, network topologies as well as the risks involved.
Current Assets
Digi-Best System Solutions relies on various systems to carry out its daily operations including:
| System | Applications | Description |
| Customer relations management | Sales and Marketing | Following up on clients and client’s project |
| Enterprise resource planning | Human Resources | Tracking staff members, managers, assignments, wages, and expenditures |
| Enterprise resource planning | Finances | General ledger, accounts receivables and accounts payables, |
| E-mail server | Throughout the company | Email system that the company uses to communicate internally and externally. |
| Web servers | Company public portal |
Applications and information used by clients to interact with the company |
Analysis of Current Network Topology and Risks
As the project begins, the administration realizes their existing infrastructure isn’t as protected as they anticipated. The initial IT personnel was well-intentioned, but when the company was launched, they were not as security-conscious as corporations are now. Consequently, the company wishes to ensure the overall security of the existing infrastructure’s while isolating novel development infrastructure. For starters, the present network design contains a demilitarized zone (DMZ) for the organization’s website, mail servers, and file transfer protocol (FTP). All the company applications, programs as well as staff desktop computers are connected to the same network. The organization’s systems are all internal (i.e., the company does not outsource solutions). Furthermore, all systems and applications are located in a repurposed meeting room that serves as a dedicated data centre at a remote corporate site.
The client systems and data that are transmitted to the remote facility are a source of concern for Digi-Best. Data and equipment belonging to customers must be kept separate from those belonging to other clients. Data from one client cannot be stored in the same setting as data from another customer at any time. These needs have been made extremely clear to the personnel by the CIO. Customer data security and privacy must be a primary focus.
Risk Assessment Methodology
Phase 1: Project definition
It will involve determining the goal of the risk assessment with regards to the information that the assessment intends to generate and the decisions it will support.
Phase 2: Project Preparation
It will involves establishing the project scope with regards to the organizational applicability, time frame allotted as well as technology considerations. During this stage it will also be important to determine the assumptions and conditions that the risk assessment is conducted under.
Phase 3: Data Gathering
It is important to establish the sources of vulnerability, threat, descriptive and impact information to be utilized in the risk assessment. Essentially, this stage will be help in the collection of technical, administrative, and physical information.
Phase 4: Risk Analysis
A risk model and analytic approach to be adopted in the risk assessment needs to be developed. This will be done through the identification of assets, threat events, sources of threat, vulnerabilities and predisposing conditions.
Phase 5: Risk Mitigation
Here, a determination of the likelihood that threat events of interest bring about adversity will be carried out by taking into account the features of the sources of threat that could lead to the events, the identified vulnerabilities and the susceptibility of the company mirroring the safeguards put in place to avert such events. Furthermore, this stage will be used to establish the risk to the company from the identified threat events through consideration of the potential impact of the events and the possibility of the events happening.
Phase 6: Risk Reporting and Resolution
The results of the risk assessment will be communicated to the company’s decision makers to provide support for risk responses. Recommendations from the risk-related information gathered during the assessment will be shared with the appropriate company personnel. Also, this information should be documented and stored safely for future use to update risk assessment using the findings from continuous monitoring of risk factors. Risk factors need to be monitored as they contribute to adjustments in risk to individuals, organizational assets and operations as well as other companies.
