ITS-325 Project Part 1 Summary:
 Understand the business need of First World Bank Savings and Loan.
Banking services that meet required regulations, and provide use of credit cards and loan application in a Linux / open source infrastructure.
 Point out specific legislation and regulations that meet the statutory compliance criteria.
The proposed plan would have to meet PCI / SOX / and GLBA regulations.
For PCI compliance we would need to conduct an annual risk assessment using a SAQ (self-assessment questionnaire), and conduct quarterly PCI scans using an approved vendor. If our business grew to 6 million transactions per year, we would need to conduct an annual internal audit, in addition to the PCI scans.

Some of the basics for PCI functionality includes, network hardening on web applications to protect cardholder data, including (but not excluded to) password policy enforcement, encryption, maintaining secure systems, keeping systems up to date on anti-virus, restricting business access to cardholder data, restricting physical access to data, tracking and monitoring access to all network resources, regular tests on security.

If our web applications evolved into more services such as shareholder infrastructure, we would need to delve into the SOX regulations.

Because we are offering loan services, we would need to abide by the Gramm Leach Bliley Act rules. Some of this would involve privacy notices about how we divulge their data.

 Assess the feasibility of Linux and open source infrastructure in handling security demands listed by the legislation and regulations.
The biggest feasibility issue is the adaptability in general of open sourced software. As the industry needs change, the ability for the software to adapt is also possible. Security would be the biggest issue since it in the banking industry. By following a good framework that meets the standards needed for the industry, the systems implementation should logically follow-suit.

 Make recommendations to model a tiered architecture for the proposed online transaction in a Linux-based infrastructure.
Per our discussion in class, a tiered architecture might have a web server (such as Apache), an application server (such as Tomcat) and a database server (such as oracle) to drive the business needs.
 Identify a suitable security framework that forms the basis of your recommended security policy, providing a valid rationale for your recommendation. Submission Requirements
ISO 9000 standards seem to be the framework that suits the needs. It adopts stricter standards according to the research I’ve read, and continually evolves with the changes in the industry. This would seem to be a framework that could meet the standards discussed earlier.
Research and evaluate various open source software for each server considering the stability and security of the software.
Recommend open source software for each server and explain the reasons for selecting the software.
Database server
I chose MariaDB as the open source pick because of a number of metrics that would seem to improve productivity overall. While MySQL is the most popular open-source pick, MariaDB offers some of these features compared to MySQL:
Speed improvements:
Faster subqueries –
Faster and safer replication (up to 2x faster on many replication tasks)
Faster indexes
Adjustable hash size
CHECKSUM TABLE is faster then MySQL
There are also more storage engine options in MariaDB, and many other features listed here:
Ref: https://mariadb.com/kb/en/mariadb/mariadb-vs-mysql-features/

Web server
There was a lot of information and opinions on the best Web server for our requirements, as well as a lot of compare and contrast information.
I chose Apache Web Server because of it being able to meet the requirements we have, and its supportability is much more diverse. It also offers flexibility for potential growth, and can process a large number of languages without connecting to separate software.
File server
For the file server, I had it down to NFS or Samba, and went with Samba because of the supportability is much more widespread. The setup also seems to be much easier, and the security seems to be just as strong.
Simple Mail Transfer Protocol server (SMTP)
I had this between send mail and a number of other options, but chose Apache James because of its options compared to sendmail including being more compatible with certain protocols we could have setup in our environment.
Lightweight Directory Access Protocol (LDAP) server
I chose Apache Directory Server/Studio for supportability and options. Apache Directory supports Kerberos, as well as several other options we may have setup in the environment.
Summarize an account policy that can be used for all users.
Describe special permissions, if any, required to create user or group accounts.
Everyone
This role would have read access for everyone on specified resources. They might have access to view all items in a specified system, and to change their own password.
Web admin
This role would have access to all web servers, and related needed resources. They could view objects, and change objects in a specified system, and change their own password.
Linux admins
This role would have access to servers related to their roles, including editing / enabling / disabling objects that are needed to meet the requirements of the role. They could view objects, change objects, and change their own password.
Security admins
A security admin would need more comprehensive access including security policy objects, and the ability to edit / modify / delete certain items. Enabling and disabling certain nodes, changing their own passwords, and full access to objects that were related to their needs.
Server manager
This role might have access to virtual servers, viewing objects, and changing their own passwords. They might have access to the configuration utility depending on the other roles and their needs.
User manager:
A user manager might have access to partitions, including creating, modifying, deleting, and viewing user accounts. They could view objects, and change their own passwords. They might be able to reset user passwords.
Resource Manager / Adminastrator
They might have full access to all partitions. They would have access to viewing objects, and resetting their own password. They might have access to guest related services needed, and any setup for system redundancy including editing various tasks needed to maintain the roles tasks.