...Security Policy Framework CIS 462 01 February 2014 As organizations grow, and rely more on information systems as the primary means of conducting operations, keeping those systems and its information secure has become one of the biggest priorities ever. In order to ensure information security, the organization must take appropriate security measures to make sure that no information is put in the hands of unauthorized personnel. Having a comprehensive information security framework in place along with sound standard operations procedure (SOP), and policies and regulations can help any organization keep its systems and information secure. When developing a framework for any organization you must choose what will be best for that organization, although the NIST (SP 800-53), ISO/IEC 27000, and COBIT all are frameworks that offer many different security programs, there is no wrong framework to choose, but choosing the one that works for your organization can be a tough decision for any manager to make. With the insurance organization I would choose to implement the ISO/IEC (27000) framework. That way we can concentrate on establishing and managing an IT security program. The ISO/IEC covers information security standards that are published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that develop and publish international standards. By using this framework we can provide all necessary best practices...
Words: 1310 - Pages: 6
...ABSTRACT When designing project for a top level enterprise-wide telecommunications network for ABC Company (ABC) with worldwide offices in the U.S. (San Francisco, Detroit, Washington, Indianapolis, Tampa), Europe (Paris, Liverpool), Japan (Tokyo), and South America (Sao Paulo), is engaged in the development of audio and video special effects for the entertainment and advertising industry. It is imperative as team member to work diligently and closely to deliver a quality project on time for the company. We [must] keep in mind as well to meet some technical customer requirements, keep the network managed and running at its best performance, and ensure that the network is pretty secure. The design for this network begins by designing the local network, at each of the provided locations, and then connecting all the offices together in an effective Wide Area Network (WAN) Design. The network design will include both voice and data sharing. Microsoft Project will be used as a tool to organize and manage the complete project, and it will include budget and schedule. We also must remember that the main design centers are in San Francisco, Detroit, Paris, Tokyo, and Sao Paulo, with Corporate Headquarters lodged in San Francisco. The remaining offices are used as sales offices. Consider the company to operate on a 24 hours a day and 7 days a week basis, because it is global. It has been said, that with the advent of globalization, WAN has become a major artery for communication...
Words: 1405 - Pages: 6
... 0.2 WHY INFORMATION SECURITY IS NEEDED? 0.3 HOW TO ESTABLISH SECURITY REQUIREMENTS 0.4 ASSESSING SECURITY RISKS 0.5 SELECTING CONTROLS 0.6 INFORMATION SECURITY STARTING POINT Information security is defined as the preservation of confidentiality, integrity and availability of information … Information security is defined as the preservation of confidentiality, integrity and availability of information … 0.7 CRITICAL SUCCESS FACTORS 0.8 DEVELOPING YOUR OWN GUIDELINES 1 SCOPE 2 TERMS AND DEFINITIONS 3 STRUCTURE OF THIS STANDARD 3.1 CLAUSES Security controls directly address risks to the organization, therefore risk analysis is a starting point for designing controls. Security controls directly address risks to the organization, therefore risk analysis is a starting point for designing controls. 3.2 MAIN SECURITY CATEGORIES 4 RISK ASSESSMENT AND TREATMENT 4.1 ASSESSING SECURITY RISKS Information security policies, standards, procedures and guidelines drive risk management, security and control requirements throughout the organization Information security policies, standards, procedures and guidelines drive risk management, security and control requirements throughout the organization 4.2 TREATING SECURITY RISKS 5 SECURITY POLICY 5.1 INFORMATION SECURITY POLICY 5.1.1 Information security policy document 5.1.2 Review of the information security policy 6 ORGANIZATION OF INFORMATION SECURITY Defines the hierarchical structure and reporting...
Words: 1623 - Pages: 7
...Abstract Networks are nowadays the core of modern communication. Computer or data network is a telecommunication network allowing computers to exchange data, files and also allow remote computing, that is, giving authorized users the ability to access information stored on other computers found on the same network. This exchange of data is carried through network links which are established between nodes using either cables or wireless media. Most information in computer networks is carried in packets, thus, increasing the difficulty to manage and secure the network from hazards such as security threats. Undesired packets may easily harm the systems. To counter such infected packets, firewall has been implemented with packet filters which check...
Words: 2254 - Pages: 10
...verification is the opposite of positive verification. The customer must contact the bank to verify that the information is correct. 3. What vulnerabilities are introduced by implementing a Remote Access Server? Could Allow Remote Code Execution, two heap overflow, cross-site scripting (XSS) vulnerability that could allow elevation of privilege, enabling an attacker to execute arbitrary commands on the site in the context of the target user. 4. What is a recommended best practice when implementing a Remote Access Policy server user authentication service? Using multi-factor authentication. 5. Name at least 3 remote access protections or security controls that must be in place to provide secure remote access. Authorized secure remote access, Traffic inspection and Coordinated Threat Control, Centralized security management and enterprise-wide visibility and control. 6. When dealing with RADIUS and TACACS+ for authentication methods, what protocols are used at Layer 4 for each of these techniques? UDP for RADIUS and TCP for TACACS+ 7. In TACACS+ communications, what part of the packet gets encrypted and which part is clear text? MD5 for encryption and XOR for clear text 8. In RADIUS authentication, what is the purpose of the “Authenticator”? To provide a modest bit of security. 9. Which of these two,...
Words: 1143 - Pages: 5
...breach had affected Customers - pay for the purchases made by the intruders/ card invalidated / expiring the spending power, Financial Institutions –re-issue the cards for those customers whose information was compromised, Store Associates –change their credentials for system access, Vendors, Merchandisers - Modify the information shared due to mutual network and Richel Owen, CSO- design long and short term strategy to address the security breach issue. Intruders utilized the data stolen to produce bogus credit/debit cards that can be used at self-checkouts without any risks, and had also employed gift card float technique. Case Analysis: TJX learnt about the hacking on December, 2006 through the presence of suspicious software and immediately called in Security consultants for assistance. TJX had been intruded at multiple vulnerable points – Encryption, Wireless attack, USB drives, Processing logs, Compliance and Auditing practice. Encryption - Intruder had accessed the card information during the approval process and had the decryption key for the encryption software used in TJX. This can be addressed by purchasing or designing an encryption algorithm that uses advanced encryption standards like asymmetric encryption algorithm, which employs a pair of keys (public and private) and uses a different component of the pair for different steps of the algorithm that complicates decrypting of the data packets. Wireless Attack – Data streaming between IP enabled devices had been hacked...
Words: 620 - Pages: 3
...NT2580 Week 2 Essay Create a Remote Access Policy Definition NT2580 The requirements for establishing a secure connection between remote locations vary between organizations. The needs of the organization are based on the type of information and data being transferred, as well as the sensitivity of the information. There are several options available to networks to get their data sent securely and reliably. All seven layers of the OSI model must be taken into account when designing secure Remote Access Control Policies. In order to create a secure remote connection between offices in Atlanta, San Francisco, Chicago, and Dallas, a WAN link would be the best type of connection. A dedicated WAN link would offer the organization a secure, reliable, dedicated P2P type of connection. Wide Area Network links would be monitored by the owners of the lines that connect each location. Leased lines from the providers will allow for scalability with potential growth. The downside to this type of connection is the expense and an internet connection is not necessarily provided by the link. In order to add to the security of the network physical and logical access controls are necessary. Logical implementations added to the network will be Acceptable, Email, and Wireless Use policies, Antivirus and firewall software, as well as Extranet, Interconnection, and Host Security. In order to ensure the physical assets, as well as employees, physical security must also be considered. Locked...
Words: 704 - Pages: 3
...will work to improve the proper handling within Riordan Manufacturing to ensure the best relationship between each department. Once the final implementation is installed it will not only improve communication within the company but it will also help save time and money. Security Security should be the highest point of interest or concern of any project. Security is mainly the responsibility of the group operating the system, which would make it the company’s staffs responsibility to install and operate security controls such as firewalls, anti-virus software, and also performing routine updates, and data backup and recovery points. All data needs to be kept secure and confidential at all times. Any company data such as policies, procedures, employee, or customer information needs to be secure and it is Riordan Manufacturing’s responsibility to make sure there systems are capable of doing so. All the information on company computers should be password protected, encrypted, and only give authorized personnel access to such information to ensure data safety. If any information especially “sensitive information” were to get into the wrong hands it could really hurt the business, lawsuits alone could end up destroying the company depending on what information was compromised and what exactly was done with it. Process Certain processes throughout the system such as the application process could benefit more from using third party software. By using a...
Words: 673 - Pages: 3
...--[endif]-->You will be able to explore design and firewall rules for a bastion host. <!--[if !supportLists]--> <!--[endif]-->You will examine how a bastion host allows administrators to access Samba and Secure Shell (SSH) for remotely managing a server. Assignment Requirements As the Linux system administrator of insurance company Secure All, Inc., you need to design firewall rules for the organization’s bastion host file server, which uses Samba. This server is located in the local area network (LAN) with the network address 172.16.0.0/12 and subnet 255.240.0.0. The server should also allow Web application access for its online transaction platform to mount the filesystem. The Web application resides on the Web server located in the demilitarized zone (DMZ). This server has two interface cards. One card, which is for the traffic from the DMZ firewall, is linked to the wide area network (WAN). This card’s IP address is 192.168.1.5. The other interface card has the IP address 172.16.1.5 and is linked to the LAN. Which firewall rules should be written using iptables for the server hosting Samba? Discuss and suggest firewall rules to allow administrators to remotely manage the server using SSH. Use the concept of “default deny” when designing the rules. Participate in this discussion by engaging in a meaningful debate regarding the firewall rules that can be written using iptables. You must defend your choices with a valid rationale. At the end of ...
Words: 922 - Pages: 4
...Network Security Planning By: Marticia Goodwin CIS 532 / Professor Danielle Babb August 19, 2012 Strayer University SAFE is a reference architecture that network designers can use to simplify the complexity of a large internetwork in which the architecture lets you apply a modular approach to network design. Traditional point security tools are limited in their ability to support and securing a business transformation, either leaving critical new resources unprotected or preventing the deployment of new services as they do not secure new processes and protocols. At the same time, organizations are facing a host of new threats that target many of these new services and impact network and service availability (Lippis, 2012). With SAFE, you can analyze the functional, logical, and physical components of a network and thus simplify the process of designing an overall enterprise network, but CISCO SAFE architecture is especially concerned with security. SAFE takes a defense in-depth-approach in which multiple layers of protection are strategically located throughout the network and the layers are under unified strategy for protecting the entire network and the various components of the network, including individual network segments, infrastructure devices, network services, endpoints, and applications (Oppenheimer, 2011). SAFE architecture is comprised of the following major modules: core, data center, campus, management, WAN Edge, Internet Edge, branches, extranet, partner...
Words: 974 - Pages: 4
...Internet of Things, also known as IoT, refers to the embedded devices that are connected to and communicate with each other via internet and range from small devices like smart watches and other every day wearables to much larger devices like cars and other automobiles, medical equipment etc., In my opinion, the traditional security methods like authentication, encryption, intrusion detection and intrusion prevention, firewalls, installing security patches etc., may be applicable to Internet of Things only if the devices are deployed and used in a controlled, secure and well monitored environment like enterprise network, which will not be the case with most of the devices that can be classified under IoT, as a user must be able to use his/her...
Words: 497 - Pages: 2
...Mobile Computing and Social Networks. Abstract Mobile computing has rapidly evolved for the last two decades with the use of wireless technology making the location irrelevant and increasing the opportunities for business to streamline business processes, reduce operational processing times and provide better customer service. Mobile revolution has also forced many industries to reengineer their business processes to accommodate the many mobile devices. Mobile computing and social networks are part of the daily lives of millions of Americans. 42% of American adults own a mobile and tablet computing device. “Additional research shows that about three quarters of U.S. adults are online, with about 66% of them using social networking sites” (Brenner, 2012). Specific methods for how IT departments and mobile app developers and designers can decide on supporting different mobile platforms like the Apple iPhone, Apple iPad, Windows Phone, or Android supported smartphones and tablets will be discussed. Other topics addressed in this paper include the issue of “high availability” for mobile app users’ Based on these considerations organizations and businesses are nowadays focusing on the implementation of these applications, while replacing their desktop platforms to the mobile devices (Shih, et.al. n.d). “On the other hand, it is also observed that, these applications may also enhance various risks and vulnerabilities,...
Words: 4537 - Pages: 19
...For a better understanding of the situation in the network of the company I decided to start the analysis by the vulnerabilities that this one presents. Many of these vulnerabilities are the cause for different types of network attacks. It should be noted that while many of these vulnerabilities may be mitigated or eliminated the possibility of an attack always exists. The first vulnerability is the email server. Although very well controlled for been within the Demilitarized Zone (DMZ), this is always a vulnerability with which most companies have to deal with. This vulnerability opens the way for phishing attack. One way to mitigate this vulnerability is configuring the email server so that only authorized email may enter. This is difficult because our video game company has a large list of customers and suppliers that are in constant change. The best option is to alert users about the security measures and company policies regarding private and unknown emails. The Web and FTP server can be a not very alarming vulnerability. Because it is located in the DMZ and after the Intrusion Detection System (IDS), is unlikely to be corrupted without being detected. The location of the file servers in the network is totally unprotected against internal attacks. Any successful attack in the LAN would leave the data servers exposed. The establishment of a demilitarized zone with a completely different set of log on names and password than any other machines would give these servers better...
Words: 1141 - Pages: 5
...technological innovation and automation of their systems. However, as GFI experienced a steady growth in its financial operation, a significant security risk lack within its network. GFI relies on its application servers; the Oracle database and the email system that are the backbone of the GFI financial operations. The financial and cash flow system of the company solely depends on the network, any network breakdown, and system failure would be catastrophic for the business and its clients. The recent multiple cyber attacks on the GFIs network and the 2012 Oracle server attack that left the company integrity, confidentiality and availability venerable for several days. Although the servers were restored, the damage was extensive and lead GFI to pay for clients damages in their loss of data confidentiality. Another attack left the entire GIF network down that lead to losses in revenues and intangible customer confidence to the tunes of over a million US dollars. Risk Assessment Purpose The aim of this risk assessment is to evaluate the details of GFI network security. Further, the risk assessment is to come up with a structured qualitative assessment of GFIs network environment and provide possible solutions for mitigating the sensitivity, threats, vulnerabilities, risks and safeguards of the GFIs network. Besides, the assessment will recommend on a potential cost-effective assurance that will combat the threats and associated exploitable...
Words: 2661 - Pages: 11
...Design phase is the most important and analytical phase. The network design is developed based on the technical and business requirements obtained from the planning phases. The network design specification is a comprehensive detailed design that meets current business and technical requirements. It provides high availability, reliability, security, scalability, and performance. The design includes physical, logical network diagrams and an equipment list. The project plan is updated with more specific and detailed information for implementation. 5.3.1 Network Topology Design After everything have been detailed in the plan phase, I proceed to design them according to the paperwork or project plan. During this stage, I have design the topology for the new office which meet the requirement and criteria stated. Both physical and logical diagram are being created in this phase. The application or software that I used to design the topology is Creately.com and Packet Tracer 7.0. Creately.com is an online application that provides user to draw UML diagram, flowchart, network diagram and many more. The reason that I used this online application is it is free and easy to use instead of I need to draw by myself for the physical topology. Figure 4 - Creately Homepage GUI Figure 5 - Cisco...
Words: 838 - Pages: 4