SlideShare a Scribd company logo

REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx

Download as DOCX, PDF
C
catheryncouper

The document discusses access control mechanisms for various systems and applications used by Real-Time Integration Systems. It describes implementing role-based access control for the ERP and desktop systems. It also proposes establishing separate networks for wireless clients and implementing single sign-on (SSO) and virtual private networks (VPNs) to control access to resources.

Education
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security Foundations Week 3: Access Controls and Security Mechanisms <name> [Pick the date] This document contains information and typical analyses that Real-Time Integration Systems must conduct to ensure compliance with recent initial public offering (IPO) requirements and to ensure the security of the company infrastructure. In addition to ensuring compliance to the Sarbanes-Oxley requirements, the company is also considering expanding the network infrastructure to allow employee flexibility (yet sound security) in the area of network connectivity through the introduction of a wireless network. The company will evaluate the risks and the current and future network infrastructure and enterprise systems, as well as the access control policies currently in use. Within the analysis of the technical review, Real-Time Integration Systems will ensure a
proper security program is in place and that policies and procedures are updated and accurate. Table of Contents Project Outline and Requirements (Week 1) .................................................................................... ........... . 1 Organization Description ............................................................................................... ........................... 1 Project Requirements ............................................................................................... ................................ 1 Introduction to Information Security (Week 1) ............................................................................................ 3 The Need for Information Security ............................................................................................... ............ 3 Potential Issues and Risks for Wi-Fi Environments ................................................................................... 3 Security Challenges of Allowing Consultants to Work On-Site ................................................................. 3 A Review of the Sarbanes-Oxley Requirements ....................................................................................... 3
Security Assessment (Week 2) ............................................................................................... ....................... 4 Current Assets ............................................................................................... ............................................ 4 Analysis of Current Network Topology and Risks ..................................................................................... 4 Risk Assessment Methodology ............................................................................................... .................. 5 Risk Mitigation ............................................................................................... ........................................... 6 Access Controls and Security Mechanisms (Week 3) ................................................................................... 7 Access Controls of Existing Applications ............................................................................................... .... 7 The Application List From Week 2 With Needed Access Controls (Examples): .................................... 7 Access Controls to the Wi-Fi Network ............................................................................................... ....... 7 Network Authentication Schemes ............................................................................................... ............. 8
Single Sign-On ............................................................................................. .. ........................................ 8 Virtual Private Networks ............................................................................................... ........................ 8 Software and Database Security (Week 4) ............................................................................................... .... 9 Regulatory Requirements of Sarbanes-Oxley ............................................ Error! Bookmark not defined. Polices ............................................................................................... ......... Error! Bookmark not defined. Controls ............................................................................................... ....... Error! Bookmark not defined. Protecting Data .......................................................................................... Error! Bookmark not defined. Data-at-Rest ........................................................................................... Error! Bookmark not defined. Data-in-Motion ...................................................................................... Error! Bookmark not defined.
Network Security (Week 5) ............................................................................................... .......................... 10 Protecting Data .......................................................................................... Error! Bookmark not defined. Intrusion Detection Systems .................................................................. Error! Bookmark not defined. Intrusion Prevention Systems ................................................................ Error! Bookmark not defined. References ..................................................................................... .......... ................................................... 11 Computer Systems Security Foundations Organization Consultants Page 1 Project Outline and Requirements (Week 1) Organization Description
Real-Time Integration Systems is a publicly traded company based in San Jose, California that offers customized solutions to customers and clients. The main focus for Real-Time is the creation of solutions based on integrating the various systems that are used in the customers’ offices so that they can have a single management interface for all systems and applications. Real-Time has 100 employees. About one third is internal company-based support, and two thirds of the employee base is consulting staff working on the customized solutions. The company recently underwent an IPO, and as such, now has additional regulatory requirements that it must meet. Talking with the company’s chief information officer (CIO) and chief financial officer (CFO), they admit that the recent IPO has added additional pressures for their company. They now must meet additional regulatory requirements. The consulting staff typically meets with the customer to gather the system requirements and then returns home to the Real-Time facilities to create the integration solutions. A major problem that the consultants face is network resources. The office spaces that are allocated to the consulting team offer cubicles with limited network access. The consultants need a more flexible solution for connecting to the Real-Time network. Real-Time wants to implement a secure solution that ensures the privacy of the communications and company data as well as giving the consultants the flexibility to connect to the network and move around and interact and conference with other consultants. Project Requirements As Real-Time starts the project, the leaders realize that their
current infrastructure is not as secure as they thought. The original information technology (IT) staff was well-meaning, but at the time of the start-up, they were not as security-conscious as companies are today. As a result, Real-Time wants to ensure the overall security of the existing infrastructure and to isolate the new development infrastructure as much as possible. To begin, the existing network architecture includes a demilitarized zone (DMZ) for the company Web site, file transfer protocol (FTP), and mail servers. The company Intranet is a flat network. All company resources and applications are on the same network with all staff desktops. All company systems are internal (meaning that they outsource no solutions). All systems and applications are housed in the San Jose corporate site in a converted conference room that is now a dedicated data center. Real-Time does have a concern over the customer systems and data that are brought into the San Jose facility. The customer data and equipment need to be isolated from other customer environments. At no point in time can the data from one customer be stored in the same environment as a different customer. The CIO has made these requirements very clear to the staff. Customer data privacy and security needs to be a top priority. Proper resources have been allocated for the project, and several key goals have been set: • Evaluate the regulatory requirements based on the Sarbanes- Oxley Act, and ensure that
company security policies are sufficient to meet the requirements. • Evaluate the security risks in the current environment. • Evaluate the access control methods that are currently in use, and identify newly needed controls. • Evaluate the need for controls to better protect data both at rest and in motion. • Develop or redesign a secure network solution. Introduction to Information Security (Week 1) A review of the current infrastructure and security model is needed to ensure compliance with the new Sarbanes-Oxley regulations. Management wants to understand how the regulation impacts the information security posture of the Real-Time Integrations Systems environment. To do so, the following areas need to be better understood by the organization: • Describe the need for information security • The potential issues and risks that exist and what benefits they can gain from the new wireless fidelity (W-Fi) project • Describe what new challenges exist with the new project to allow consultants to work on-site • Describe the challenges that now apply to the company with
the recent IPO taking place The Need for Information Security A review of the high level of information security should take place, and then a practical discussion about what it means for organizations like Real-Time Integration Systems needs to take place. Potential Issues and Risks for Wi-Fi Environments A review of the technical security needs to take place. The focus should be on the extension of a network through the use of wireless technologies. Security Challenges of Allowing Consultants to Work On-Site A review of the administrative security controls needs to take place. The focus should be on the policies and personal requirements that need to be implemented A Review of the Sarbanes-Oxley Requirements Sarbanes-Oxley will now affect Real-Time, and there needs to be a discussion about the specific provisions of the regulations that apply to the IT infrastructure. Security Assessment (Week 2) To conduct a security assessment, the organization needs to understand its environment. This includes asset identification, data classifications, and network topologies. This section will focus on asset identification and network topology and the risks associated with them in the current environments. Current Assets
A list of the enterprise systems that Real-Time Integration Systems relies on to run the day-to-day business activities includes the following systems: Example Enterprise Systems System Applications Description Enterprise resource planning (ERP) Human resources (HR) Human resources uses this to track employees, managers, assignments, salary, and expenses ERP Financials Accounts payables, accounts receivables, general ledger Customer relations management (CRM) Sales and marketing Tracking of customers and customer projects Web servers Company public portal Information and applications used by customers to interact with Real-Time Integration Systems
E-mail server All departments E-mail system used for company e-mail and external communications Analysis of Current Network Topology and Risks An example diagram for the current network (although not required for submission) could be represented as follows: Because all machines (user desktops and servers) are on the same network, all connected to the Internet, a security breach on any single machine give hackers direct access to all other servers and devices on the same network. This is highly undesirable. Additional risks should be discussed. System Risks Web server Accessible to the Internet by design, easy targets for hackers Desktop systems Users are primary targets for social engineers, if compromised network resources are accessible If the new Wi-Fi network is added to the existing network, an example diagram could look as follows:
A discussion about the new risks for this model needs to be conducted. Risk Assessment Methodology The following is an outline of the methodology that can be used for a risk assessment: • Phase 1: Project Definition • Phase 2: Project Preparation • Team Preparation • Project Preparation • Phase 3: Data Gathering • Administrative • Technical • Physical • Phase 4: Risk Analysis • Assets • Threat Agents and Threats • Vulnerabilities • Phase 5: Risk Mitigation • Safeguards • Residual Security Risk • Phase 6: Risk Reporting and Resolution • Risk Recommendation • Documentation
Risk Mitigation As part of the risk-assessment process, a plan needs to be recommended (and ultimately acted upon). The exact process for dealing with risk varies from company to company based on the risk tolerance. The following should be discussed with respect to handling risk: Access Controls and Security Mechanisms (Week 3) The focus of this section is to examine the access control model of the previously identified applications. A potential review of the existing system could take place, but a proposed final solution needs to take place for each application. A proposed solution for the new Wi- Fi network is also given. Access Controls of Existing Applications The application list from Week 2 with needed access controls (examples): System Proposed Access Control Identification/Authentication Authorization ERP Single sign-on technology (SSO) Role-based access control Desktop Active Directory Role-based access control
Access Controls to the Wi-Fi Network A detailed description of how access controls should be implemented is provided. An example of a network segregation diagram (not required but could be implemented) is as follows: Active Directory has been included for the potential of desktop and wireless authentication. Additional discussions could take place surrounding the concepts of virtual private network access for wireless clients. Network Authentication Schemes Single Sign-On Description of SSO technologies and their use will take place in this section. Virtual Private Networks Description of VPN technologies and their use will take place in this section. Software and Database Security (Week 4 TBD)
Network Security (Week 5 TBD) References Project Outline and Requirements (Week 1)Organization DescriptionProject RequirementsIntroduction to Information Security (Week 1)The Need for Information SecurityPotential Issues and Risks for Wi-Fi EnvironmentsSecurity Challenges of Allowing Consultants to Work On-SiteA Review of the Sarbanes-Oxley RequirementsSecurity Assessment (Week 2)Current AssetsAnalysis of Current Network Topology and RisksRisk Assessment MethodologyRisk MitigationAccess Controls and Security Mechanisms (Week 3)Access Controls of Existing ApplicationsThe application list from Week 2 with needed access controls (examples):Access Controls to the Wi-Fi NetworkNetwork Authentication SchemesSingle Sign-OnVirtual Private NetworksSoftware and Database Security (Week 4 TBD)Network Security (Week 5 TBD)References 3 Pages The case study company has provided you with the flexibility to identify many different information systems that are used by the employees. Some systems need strict access control while others should be available to everyone. What access-control methods need to be employed for the various systems? How can the company protect the new consultant network while at the same time providing the protection of data that the stakeholders and customers require? In addition, you have been asked to describe 2 access control
mechanisms and consider if they can be used in the organization. Describe single sign-on (SSO) and virtual private network (VPN) technology and if they can be used in the company. Week 3: Access Controls and Security Mechanisms For each of the applications and systems that were described in IP 2, describe the access control mechanisms that are needed for each. Describe how the new expanded network can be protected through access control. Describe SSO and VPN technology, and discuss whether they can be used in the company. Name the document "CS651_FirstnameLastname_IP3.doc." For assistance with your assignment, please use your text, Web resources, and all course materials. 3 Pages The case study company has provided you with the flexibility to identify many different information systems that are used by the employees. Some systems need strict acces s control while others should be available to everyone. What access - control methods need to be employed for the various systems? How can the company protect the new consultant network while at the same time providing the protection of data that the stakeho lders and customers require? In addition, you have been asked to describe 2 access control
mechanisms and consider if they can be used in the organization. Describe single sign - on (SSO) and virtual private network (VPN) technology and if they can be used in the company. Week 3: Access Controls and Security Mechanisms For each of the applications and systems that were described in IP 2, describe the access control mechanisms that are needed for each. Describe how the new expanded network can be protected through access control. Describe SSO and VPN technology, and discuss whether they can be used in the company. Name the document "CS651_FirstnameLastname_IP3.doc." For assistance with your assignment, please use your text, Web resources, and all course materials. 3 Pages The case study company has provided you with the flexibility to identify many different information systems that are used by the employees. Some systems need strict access control while others should be available to everyone. What access-control methods need to be employed for the various systems? How can the company protect the new consultant network while at the same time providing the
protection of data that the stakeholders and customers require? In addition, you have been asked to describe 2 access control mechanisms and consider if they can be used in the organization. Describe single sign-on (SSO) and virtual private network (VPN) technology and if they can be used in the company. Week 3: Access Controls and Security Mechanisms For each of the applications and systems that were described in IP 2, describe the access control mechanisms that are needed for each. Describe how the new expanded network can be protected through access control. Describe SSO and VPN technology, and discuss whether they can be used in the company. Name the document "CS651_FirstnameLastname_IP3.doc." For assistance with your assignment, please use your text, Web resources, and all course materials.

More Related Content

Similar to REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx (20)

PDF
TierPoint White Paper_With all due diligence_2015
sllongo3
 
PDF
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
James Konderla
 
DOCX
Businesses involved in mergers and acquisitions must exercise due di.docx
dewhirstichabod
 
DOC
Csec 610 Extraordinary Success/newtonhelp.com
amaranthbeg112
 
DOC
Csec 610 Your world/newtonhelp.com
amaranthbeg92
 
DOC
Csec 610 Motivated Minds/newtonhelp.com
amaranthbeg52
 
DOC
Csec 610 Education is Power/newtonhelp.com
amaranthbeg72
 
DOCX
Comprehensive Guide to Infrastructure Monitoring with Key Benefits and Best P...
HEX64
 
DOCX
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
toltonkendal
 
DOCX
TaskYou are required to prepare for this Assessment Item by1..docx
bradburgess22840
 
DOCX
TaskYou are required to prepare for this Assessment Item by1..docx
deanmtaylor1545
 
PDF
Facility Environmental Audit Guidelines
amburyj3c9
 
PDF
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Smita S. Ghaisas
 
DOCX
Framework for information systems adaptation to security policies PCI DSS, SO...
Jesús Vázquez González
 
PDF
IOT-653: Enhancing Security, Reliability and Real-Time Performance in Resourc...
ijesajournal
 
PDF
IOT-653: ENHANCING SECURITY, RELIABILITY AND REAL-TIME PERFORMANCE IN RESOURC...
ijesajournal
 
PDF
1. What is a mobile architecture and what are some of the design con.pdf
fazalenterprises
 
DOC
Cyb 610 Inspiring Innovation--tutorialrank.com
PrescottLunt386
 
PDF
Overcoming Challenges in SOC 2 Compliance.pdf
kathyzink87
 
PDF
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
IJRES Journal
 
TierPoint White Paper_With all due diligence_2015
sllongo3
 
IT Security and Compliance Program Plan for Maxistar Medical Supplies Company
James Konderla
 
Businesses involved in mergers and acquisitions must exercise due di.docx
dewhirstichabod
 
Csec 610 Extraordinary Success/newtonhelp.com
amaranthbeg112
 
Csec 610 Your world/newtonhelp.com
amaranthbeg92
 
Csec 610 Motivated Minds/newtonhelp.com
amaranthbeg52
 
Csec 610 Education is Power/newtonhelp.com
amaranthbeg72
 
Comprehensive Guide to Infrastructure Monitoring with Key Benefits and Best P...
HEX64
 
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
toltonkendal
 
TaskYou are required to prepare for this Assessment Item by1..docx
bradburgess22840
 
TaskYou are required to prepare for this Assessment Item by1..docx
deanmtaylor1545
 
Facility Environmental Audit Guidelines
amburyj3c9
 
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Smita S. Ghaisas
 
Framework for information systems adaptation to security policies PCI DSS, SO...
Jesús Vázquez González
 
IOT-653: Enhancing Security, Reliability and Real-Time Performance in Resourc...
ijesajournal
 
IOT-653: ENHANCING SECURITY, RELIABILITY AND REAL-TIME PERFORMANCE IN RESOURC...
ijesajournal
 
1. What is a mobile architecture and what are some of the design con.pdf
fazalenterprises
 
Cyb 610 Inspiring Innovation--tutorialrank.com
PrescottLunt386
 
Overcoming Challenges in SOC 2 Compliance.pdf
kathyzink87
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
IJRES Journal
 

More from catheryncouper (20)

DOCX
1-Racism Consider the two films shown in class Night and Fog,.docx
catheryncouper
 
DOCX
1-2 December 2015 Geneva, SwitzerlandWHO INFORMAL CO.docx
catheryncouper
 
DOCX
1-httpfluoridealert.orgresearchersstateskentucky2-.docx
catheryncouper
 
DOCX
1. Consider our political system today, in 2019. Which groups of peo.docx
catheryncouper
 
DOCX
1-Ageism is a concept introduced decades ago and is defined as .docx
catheryncouper
 
DOCX
1. Create a PowerPoint PowerPoint must include a minimum of.docx
catheryncouper
 
DOCX
1. Compare vulnerable populations. Describe an example of one of the.docx
catheryncouper
 
DOCX
1. Complete the Budget Challenge activity at httpswww.federa.docx
catheryncouper
 
DOCX
1. Connections between organizations, information systems and busi.docx
catheryncouper
 
DOCX
1-Experiences with a Hybrid Class Tips And PitfallsCollege .docx
catheryncouper
 
DOCX
RefereanceSpectra.jpgReactionInformation.jpgWittigReacti.docx
catheryncouper
 
DOCX
Reconciling the Complexity of Human DevelopmentWith the Real.docx
catheryncouper
 
DOCX
Reexamine the three topics you picked last week and summarized. No.docx
catheryncouper
 
DOCX
ReconstructionDatesThe Civil War_________ Recons.docx
catheryncouper
 
DOCX
Record, Jeffrey. The Mystery Of Pearl Harbor. Military History 2.docx
catheryncouper
 
DOCX
Reasons for Not EvaluatingReasons from McCain, D. V. (2005). Eva.docx
catheryncouper
 
DOCX
Recognize Strengths and Appreciate DifferencesPersonality Dimens.docx
catheryncouper
 
DOCX
Real-World DecisionsHRM350 Version 21University of Phoe.docx
catheryncouper
 
DOCX
Real Clear PoliticsThe American Dream Not Dead –YetBy Ca.docx
catheryncouper
 
DOCX
Recommended Reading for both Papers.· Kolter-Keller, Chapter17 D.docx
catheryncouper
 
1-Racism Consider the two films shown in class Night and Fog,.docx
catheryncouper
 
1-2 December 2015 Geneva, SwitzerlandWHO INFORMAL CO.docx
catheryncouper
 
1-httpfluoridealert.orgresearchersstateskentucky2-.docx
catheryncouper
 
1. Consider our political system today, in 2019. Which groups of peo.docx
catheryncouper
 
1-Ageism is a concept introduced decades ago and is defined as .docx
catheryncouper
 
1. Create a PowerPoint PowerPoint must include a minimum of.docx
catheryncouper
 
1. Compare vulnerable populations. Describe an example of one of the.docx
catheryncouper
 
1. Complete the Budget Challenge activity at httpswww.federa.docx
catheryncouper
 
1. Connections between organizations, information systems and busi.docx
catheryncouper
 
1-Experiences with a Hybrid Class Tips And PitfallsCollege .docx
catheryncouper
 
RefereanceSpectra.jpgReactionInformation.jpgWittigReacti.docx
catheryncouper
 
Reconciling the Complexity of Human DevelopmentWith the Real.docx
catheryncouper
 
Reexamine the three topics you picked last week and summarized. No.docx
catheryncouper
 
ReconstructionDatesThe Civil War_________ Recons.docx
catheryncouper
 
Record, Jeffrey. The Mystery Of Pearl Harbor. Military History 2.docx
catheryncouper
 
Reasons for Not EvaluatingReasons from McCain, D. V. (2005). Eva.docx
catheryncouper
 
Recognize Strengths and Appreciate DifferencesPersonality Dimens.docx
catheryncouper
 
Real-World DecisionsHRM350 Version 21University of Phoe.docx
catheryncouper
 
Real Clear PoliticsThe American Dream Not Dead –YetBy Ca.docx
catheryncouper
 
Recommended Reading for both Papers.· Kolter-Keller, Chapter17 D.docx
catheryncouper
 
Ad

Recently uploaded (20)

PDF
Biological Bilingual Glossary Hindi and English Medium
World of Wisdom
 
PDF
Exploring the Different Types of Experimental Research
Thelma Villaflores
 
PDF
Lesson 2 - WATER,pH, BUFFERS, AND ACID-BASE.pdf
marvinnbustamante1
 
PDF
The Constitution Review Committee (CRC) has released an updated schedule for ...
nservice241
 
PDF
Stokey: A Jewish Village by Rachel Kolsky
History of Stoke Newington
 
PPTX
MENINGITIS: NURSING MANAGEMENT, BACTERIAL MENINGITIS, VIRAL MENINGITIS.pptx
PRADEEP ABOTHU
 
PDF
ARAL_Orientation_Day-2-Sessions_ARAL-Readung ARAL-Mathematics ARAL-Sciencev2.pdf
JoelVilloso1
 
PPTX
CATEGORIES OF NURSING PERSONNEL: HOSPITAL & COLLEGE
PRADEEP ABOTHU
 
PPTX
Growth and development and milestones, factors
BHUVANESHWARI BADIGER
 
PPTX
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
PDF
QNL June Edition hosted by Pragya the official Quiz Club of the University of...
Pragya - UEM Kolkata Quiz Club
 
PPTX
Unit 2 COMMERCIAL BANKING, Corporate banking.pptx
AnubalaSuresh1
 
PDF
Knee Extensor Mechanism Injuries - Orthopedic Radiologic Imaging
Sean M. Fox
 
PPT
Talk on Critical Theory, Part II, Philosophy of Social Sciences
Soraj Hongladarom
 
PPTX
STAFF DEVELOPMENT AND WELFARE: MANAGEMENT
PRADEEP ABOTHU
 
PDF
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - GLOBAL SUCCESS - CẢ NĂM - NĂM 2024 (VOCABULARY, ...
Nguyen Thanh Tu Collection
 
PDF
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
PDF
The History of Phone Numbers in Stoke Newington by Billy Thomas
History of Stoke Newington
 
PDF
community health nursing question paper 2.pdf
Prince kumar
 
PPTX
Universal immunization Programme (UIP).pptx
Vishal Chanalia
 
Biological Bilingual Glossary Hindi and English Medium
World of Wisdom
 
Exploring the Different Types of Experimental Research
Thelma Villaflores
 
Lesson 2 - WATER,pH, BUFFERS, AND ACID-BASE.pdf
marvinnbustamante1
 
The Constitution Review Committee (CRC) has released an updated schedule for ...
nservice241
 
Stokey: A Jewish Village by Rachel Kolsky
History of Stoke Newington
 
MENINGITIS: NURSING MANAGEMENT, BACTERIAL MENINGITIS, VIRAL MENINGITIS.pptx
PRADEEP ABOTHU
 
ARAL_Orientation_Day-2-Sessions_ARAL-Readung ARAL-Mathematics ARAL-Sciencev2.pdf
JoelVilloso1
 
CATEGORIES OF NURSING PERSONNEL: HOSPITAL & COLLEGE
PRADEEP ABOTHU
 
Growth and development and milestones, factors
BHUVANESHWARI BADIGER
 
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
QNL June Edition hosted by Pragya the official Quiz Club of the University of...
Pragya - UEM Kolkata Quiz Club
 
Unit 2 COMMERCIAL BANKING, Corporate banking.pptx
AnubalaSuresh1
 
Knee Extensor Mechanism Injuries - Orthopedic Radiologic Imaging
Sean M. Fox
 
Talk on Critical Theory, Part II, Philosophy of Social Sciences
Soraj Hongladarom
 
STAFF DEVELOPMENT AND WELFARE: MANAGEMENT
PRADEEP ABOTHU
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - GLOBAL SUCCESS - CẢ NĂM - NĂM 2024 (VOCABULARY, ...
Nguyen Thanh Tu Collection
 
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
The History of Phone Numbers in Stoke Newington by Billy Thomas
History of Stoke Newington
 
community health nursing question paper 2.pdf
Prince kumar
 
Universal immunization Programme (UIP).pptx
Vishal Chanalia
 
Ad

REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx

  • 1. REAL-TIME INTEGRATION SYSTEMS Computer Systems Security Foundations Week 3: Access Controls and Security Mechanisms <name> [Pick the date] This document contains information and typical analyses that Real-Time Integration Systems must conduct to ensure compliance with recent initial public offering (IPO) requirements and to ensure the security of the company infrastructure. In addition to ensuring compliance to the Sarbanes-Oxley requirements, the company is also considering expanding the network infrastructure to allow employee flexibility (yet sound security) in the area of network connectivity through the introduction of a wireless network. The company will evaluate the risks and the current and future network infrastructure and enterprise systems, as well as the access control policies currently in use. Within the analysis of the technical review, Real-Time Integration Systems will ensure a
  • 2. proper security program is in place and that policies and procedures are updated and accurate. Table of Contents Project Outline and Requirements (Week 1) .................................................................................... ........... . 1 Organization Description ............................................................................................... ........................... 1 Project Requirements ............................................................................................... ................................ 1 Introduction to Information Security (Week 1) ............................................................................................ 3 The Need for Information Security ............................................................................................... ............ 3 Potential Issues and Risks for Wi-Fi Environments ................................................................................... 3 Security Challenges of Allowing Consultants to Work On-Site ................................................................. 3 A Review of the Sarbanes-Oxley Requirements ....................................................................................... 3
  • 3. Security Assessment (Week 2) ............................................................................................... ....................... 4 Current Assets ............................................................................................... ............................................ 4 Analysis of Current Network Topology and Risks ..................................................................................... 4 Risk Assessment Methodology ............................................................................................... .................. 5 Risk Mitigation ............................................................................................... ........................................... 6 Access Controls and Security Mechanisms (Week 3) ................................................................................... 7 Access Controls of Existing Applications ............................................................................................... .... 7 The Application List From Week 2 With Needed Access Controls (Examples): .................................... 7 Access Controls to the Wi-Fi Network ............................................................................................... ....... 7 Network Authentication Schemes ............................................................................................... ............. 8
  • 4. Single Sign-On ............................................................................................. .. ........................................ 8 Virtual Private Networks ............................................................................................... ........................ 8 Software and Database Security (Week 4) ............................................................................................... .... 9 Regulatory Requirements of Sarbanes-Oxley ............................................ Error! Bookmark not defined. Polices ............................................................................................... ......... Error! Bookmark not defined. Controls ............................................................................................... ....... Error! Bookmark not defined. Protecting Data .......................................................................................... Error! Bookmark not defined. Data-at-Rest ........................................................................................... Error! Bookmark not defined. Data-in-Motion ...................................................................................... Error! Bookmark not defined.
  • 5. Network Security (Week 5) ............................................................................................... .......................... 10 Protecting Data .......................................................................................... Error! Bookmark not defined. Intrusion Detection Systems .................................................................. Error! Bookmark not defined. Intrusion Prevention Systems ................................................................ Error! Bookmark not defined. References ..................................................................................... .......... ................................................... 11 Computer Systems Security Foundations Organization Consultants Page 1 Project Outline and Requirements (Week 1) Organization Description
  • 6. Real-Time Integration Systems is a publicly traded company based in San Jose, California that offers customized solutions to customers and clients. The main focus for Real-Time is the creation of solutions based on integrating the various systems that are used in the customers’ offices so that they can have a single management interface for all systems and applications. Real-Time has 100 employees. About one third is internal company-based support, and two thirds of the employee base is consulting staff working on the customized solutions. The company recently underwent an IPO, and as such, now has additional regulatory requirements that it must meet. Talking with the company’s chief information officer (CIO) and chief financial officer (CFO), they admit that the recent IPO has added additional pressures for their company. They now must meet additional regulatory requirements. The consulting staff typically meets with the customer to gather the system requirements and then returns home to the Real-Time facilities to create the integration solutions. A major problem that the consultants face is network resources. The office spaces that are allocated to the consulting team offer cubicles with limited network access. The consultants need a more flexible solution for connecting to the Real-Time network. Real-Time wants to implement a secure solution that ensures the privacy of the communications and company data as well as giving the consultants the flexibility to connect to the network and move around and interact and conference with other consultants. Project Requirements As Real-Time starts the project, the leaders realize that their
  • 7. current infrastructure is not as secure as they thought. The original information technology (IT) staff was well-meaning, but at the time of the start-up, they were not as security-conscious as companies are today. As a result, Real-Time wants to ensure the overall security of the existing infrastructure and to isolate the new development infrastructure as much as possible. To begin, the existing network architecture includes a demilitarized zone (DMZ) for the company Web site, file transfer protocol (FTP), and mail servers. The company Intranet is a flat network. All company resources and applications are on the same network with all staff desktops. All company systems are internal (meaning that they outsource no solutions). All systems and applications are housed in the San Jose corporate site in a converted conference room that is now a dedicated data center. Real-Time does have a concern over the customer systems and data that are brought into the San Jose facility. The customer data and equipment need to be isolated from other customer environments. At no point in time can the data from one customer be stored in the same environment as a different customer. The CIO has made these requirements very clear to the staff. Customer data privacy and security needs to be a top priority. Proper resources have been allocated for the project, and several key goals have been set: • Evaluate the regulatory requirements based on the Sarbanes- Oxley Act, and ensure that
  • 8. company security policies are sufficient to meet the requirements. • Evaluate the security risks in the current environment. • Evaluate the access control methods that are currently in use, and identify newly needed controls. • Evaluate the need for controls to better protect data both at rest and in motion. • Develop or redesign a secure network solution. Introduction to Information Security (Week 1) A review of the current infrastructure and security model is needed to ensure compliance with the new Sarbanes-Oxley regulations. Management wants to understand how the regulation impacts the information security posture of the Real-Time Integrations Systems environment. To do so, the following areas need to be better understood by the organization: • Describe the need for information security • The potential issues and risks that exist and what benefits they can gain from the new wireless fidelity (W-Fi) project • Describe what new challenges exist with the new project to allow consultants to work on-site • Describe the challenges that now apply to the company with
  • 9. the recent IPO taking place The Need for Information Security A review of the high level of information security should take place, and then a practical discussion about what it means for organizations like Real-Time Integration Systems needs to take place. Potential Issues and Risks for Wi-Fi Environments A review of the technical security needs to take place. The focus should be on the extension of a network through the use of wireless technologies. Security Challenges of Allowing Consultants to Work On-Site A review of the administrative security controls needs to take place. The focus should be on the policies and personal requirements that need to be implemented A Review of the Sarbanes-Oxley Requirements Sarbanes-Oxley will now affect Real-Time, and there needs to be a discussion about the specific provisions of the regulations that apply to the IT infrastructure. Security Assessment (Week 2) To conduct a security assessment, the organization needs to understand its environment. This includes asset identification, data classifications, and network topologies. This section will focus on asset identification and network topology and the risks associated with them in the current environments. Current Assets
  • 10. A list of the enterprise systems that Real-Time Integration Systems relies on to run the day-to-day business activities includes the following systems: Example Enterprise Systems System Applications Description Enterprise resource planning (ERP) Human resources (HR) Human resources uses this to track employees, managers, assignments, salary, and expenses ERP Financials Accounts payables, accounts receivables, general ledger Customer relations management (CRM) Sales and marketing Tracking of customers and customer projects Web servers Company public portal Information and applications used by customers to interact with Real-Time Integration Systems
  • 11. E-mail server All departments E-mail system used for company e-mail and external communications Analysis of Current Network Topology and Risks An example diagram for the current network (although not required for submission) could be represented as follows: Because all machines (user desktops and servers) are on the same network, all connected to the Internet, a security breach on any single machine give hackers direct access to all other servers and devices on the same network. This is highly undesirable. Additional risks should be discussed. System Risks Web server Accessible to the Internet by design, easy targets for hackers Desktop systems Users are primary targets for social engineers, if compromised network resources are accessible If the new Wi-Fi network is added to the existing network, an example diagram could look as follows:
  • 12. A discussion about the new risks for this model needs to be conducted. Risk Assessment Methodology The following is an outline of the methodology that can be used for a risk assessment: • Phase 1: Project Definition • Phase 2: Project Preparation • Team Preparation • Project Preparation • Phase 3: Data Gathering • Administrative • Technical • Physical • Phase 4: Risk Analysis • Assets • Threat Agents and Threats • Vulnerabilities • Phase 5: Risk Mitigation • Safeguards • Residual Security Risk • Phase 6: Risk Reporting and Resolution • Risk Recommendation • Documentation
  • 13. Risk Mitigation As part of the risk-assessment process, a plan needs to be recommended (and ultimately acted upon). The exact process for dealing with risk varies from company to company based on the risk tolerance. The following should be discussed with respect to handling risk: Access Controls and Security Mechanisms (Week 3) The focus of this section is to examine the access control model of the previously identified applications. A potential review of the existing system could take place, but a proposed final solution needs to take place for each application. A proposed solution for the new Wi- Fi network is also given. Access Controls of Existing Applications The application list from Week 2 with needed access controls (examples): System Proposed Access Control Identification/Authentication Authorization ERP Single sign-on technology (SSO) Role-based access control Desktop Active Directory Role-based access control
  • 14. Access Controls to the Wi-Fi Network A detailed description of how access controls should be implemented is provided. An example of a network segregation diagram (not required but could be implemented) is as follows: Active Directory has been included for the potential of desktop and wireless authentication. Additional discussions could take place surrounding the concepts of virtual private network access for wireless clients. Network Authentication Schemes Single Sign-On Description of SSO technologies and their use will take place in this section. Virtual Private Networks Description of VPN technologies and their use will take place in this section. Software and Database Security (Week 4 TBD)
  • 15. Network Security (Week 5 TBD) References Project Outline and Requirements (Week 1)Organization DescriptionProject RequirementsIntroduction to Information Security (Week 1)The Need for Information SecurityPotential Issues and Risks for Wi-Fi EnvironmentsSecurity Challenges of Allowing Consultants to Work On-SiteA Review of the Sarbanes-Oxley RequirementsSecurity Assessment (Week 2)Current AssetsAnalysis of Current Network Topology and RisksRisk Assessment MethodologyRisk MitigationAccess Controls and Security Mechanisms (Week 3)Access Controls of Existing ApplicationsThe application list from Week 2 with needed access controls (examples):Access Controls to the Wi-Fi NetworkNetwork Authentication SchemesSingle Sign-OnVirtual Private NetworksSoftware and Database Security (Week 4 TBD)Network Security (Week 5 TBD)References 3 Pages The case study company has provided you with the flexibility to identify many different information systems that are used by the employees. Some systems need strict access control while others should be available to everyone. What access-control methods need to be employed for the various systems? How can the company protect the new consultant network while at the same time providing the protection of data that the stakeholders and customers require? In addition, you have been asked to describe 2 access control
  • 16. mechanisms and consider if they can be used in the organization. Describe single sign-on (SSO) and virtual private network (VPN) technology and if they can be used in the company. Week 3: Access Controls and Security Mechanisms For each of the applications and systems that were described in IP 2, describe the access control mechanisms that are needed for each. Describe how the new expanded network can be protected through access control. Describe SSO and VPN technology, and discuss whether they can be used in the company. Name the document "CS651_FirstnameLastname_IP3.doc." For assistance with your assignment, please use your text, Web resources, and all course materials. 3 Pages The case study company has provided you with the flexibility to identify many different information systems that are used by the employees. Some systems need strict acces s control while others should be available to everyone. What access - control methods need to be employed for the various systems? How can the company protect the new consultant network while at the same time providing the protection of data that the stakeho lders and customers require? In addition, you have been asked to describe 2 access control
  • 17. mechanisms and consider if they can be used in the organization. Describe single sign - on (SSO) and virtual private network (VPN) technology and if they can be used in the company. Week 3: Access Controls and Security Mechanisms For each of the applications and systems that were described in IP 2, describe the access control mechanisms that are needed for each. Describe how the new expanded network can be protected through access control. Describe SSO and VPN technology, and discuss whether they can be used in the company. Name the document "CS651_FirstnameLastname_IP3.doc." For assistance with your assignment, please use your text, Web resources, and all course materials. 3 Pages The case study company has provided you with the flexibility to identify many different information systems that are used by the employees. Some systems need strict access control while others should be available to everyone. What access-control methods need to be employed for the various systems? How can the company protect the new consultant network while at the same time providing the
  • 18. protection of data that the stakeholders and customers require? In addition, you have been asked to describe 2 access control mechanisms and consider if they can be used in the organization. Describe single sign-on (SSO) and virtual private network (VPN) technology and if they can be used in the company. Week 3: Access Controls and Security Mechanisms For each of the applications and systems that were described in IP 2, describe the access control mechanisms that are needed for each. Describe how the new expanded network can be protected through access control. Describe SSO and VPN technology, and discuss whether they can be used in the company. Name the document "CS651_FirstnameLastname_IP3.doc." For assistance with your assignment, please use your text, Web resources, and all course materials.