Information security framework
For an organization with two data centers, controlled by 300 server machines and with a host of different database models supported by storage area networks serving two different locations of data centers, security concerns are a common phenomenon. It is, therefore, necessary that the organization puts into consideration the risks posed by having a network that is controlled through sharing data and storage resources. While information technology offers a boost for the operations company, it offers equal risks that could undermine the confidence of the customers as well as lead to losses through loss or unauthorized modification of data. The IT infrastructure within a company is governed along three levels. These will be used to develop the action plan for the organization. They include;
- Administrative controls
- Logical controls
- Physical controls
The implementation of these controls, however, requires a combined effort from the workforce within the company. The most important thing that a company can do is to develop a policy that enacts a security awareness culture within the workforce. These controls, (logical, physical and administrative) should, however, be designed in such a way as to reach a common objective. Thus, the organization in question is required to develop a set of policies that will enable the controls to work collaboratively so as to seal any existing loopholes within the security apparatus of the organizations network.
The action plan for the organization is based on the assessment provided and subsequently the implementation of lacking security apparatus either in the form of physical components or policy measures. The IT infrastructure is more of a policy driven sector and thus all of the measures addressed under each section will be designed in accordance with the organizations policy as well as its governance structure to ensure accountability at all times. The action plan will commence its implementation upon approval by all relevant stakeholders. It should be completed within the sixth week after its approval.
Separate the roles: The administrative measures seek to provide a platform upon which the organization can effectively manage the workforce and the people who interact with the organization on a daily basis. The organization needs to draw up a plan that separates the roles of individuals within the organization. Considering that the data centers are in two different locations, there is a need to adopt a common policy that defines the roles of each employee from whichever station they are working. This will include drawing up a comprehensive work program for the workers and assigning each of them a role as well as defining the limits of their administrative duties. The program should also take into consideration those roles that overlap and try as much as possible to ensure that at any time, there is an easy follow up to determine who is responsible for a certain task as would be reflected in the activities recorded within the databases.
Put in procedures for hiring and termination employees: The organization needs to draw up a plan that explains how the employees within an organization should be hired or how they can be declared to cease from working or the organization. The need for effective recruitment procedures arises from the need to establish the history of the employees to avoid chances of recruiting employees with a dark past. Similarly, when terminating employees, it is important that they are let go while ensuring that they do not posses any sensitive information that would pose a threat to the network. Any data related to an individual whose association with the organization has been terminated should be immediately deleted from the databases by the database administrator to reduce chances of misuse. These include passwords or any other login details associated with the individual.
Proper supervision, security awareness programs and training: the organization must involve its staff members in the two data centers in security training procedures where they are informed of the need for a secure network and collaborative approach in maintaining the security. This should be coupled with an insistence on proper supervision so that each is accountable for any possible security hitches within the network. With clear supervisory roles, it will be easier to identify the loopholes that expose the organization's network to threats.
Disaster recovery plan: The organization should realize that any network is not completely covered from possible threats. Thus, there should be effective strategies that seek to address such security issues especially when the company is caught unawares by the security lapses. These include policies that define how each employee should react on the realization that the network security is at risk.
Logical controls
The organization lacks any form of logical or technical controls. These include software and network security programs that can help curb incidences of intrusion through the network.
Access controls and smart cards: the network needs to be protected from access by unauthorized parties. This means that all databases should be programmed to request for authentication details from any user. Upon submission of these details, the network should allow access to the requested database or section of the network. However, the level access should be governed by the administrative policies put in place. Smart cards will offer an easier identification method that will help trace the activities of users within the organization and thus offer a follow-up plan. This will make it easier to identify the users who show unusual behaviors.
Antivirus and firewall software: The organization should purchase antivirus software to run within the operating systems of its end user computers, as well as the server machines. This will protect the entire network from any alien programs that can be used to access database information and expose the data to unauthorized modification.
Encryption of data: The existence of two data centers located in two different locations means that the shared data must access a public network before it is shared within the private organization network. Thus, to ensure safe sharing of data, the organization should seek to build an encryption algorithm that can protect data while in transit from one data center to the other. This means that in the case that data is accessed by unknown parties; it cannot be used for any purposes since it is only readable top the intended recipient who possesses the decryption algorithm.
Physical controls
While the administrative and logical controls offer high level procedures for protecting the network, the physical controls offer the foundational physical mechanisms that guard against theft, destruction or access to the physical components of the network and the organization in general.
Fences, security guards, locks and keys: These materials will offer the organization data centers the necessary protection from intruders by limiting their motion and hence their access to the facility. Gates should be heavily manned by security guards who are supposed to keep physical records of all individual who gain access to the data centers. There should be only a single entry point for each data center to avoid manipulation. Similarly, there should be no more than one designated exit point. Any individual found to use any other entry and exit points should be declared an intruder.
Badge systems of biometric access systems: The badge systems should be used to identify all individual within the organization premises and their role. This should be made part and parcel of the organizations culture. Any individual within the premises and without such badges should be considered an intruder and necessary security action taken against them. Biometric systems should further be used to identify and accord access to all individuals who access or use the facility resources.
Back up components: The organization should put in place power and data backup utilities to avoid complete loss of data in case of any physical destruction of systems. Backup for data should be located in safe areas where fire may not affect them. Data placed on a backup should be accorded total security at all times. It forms the fall back plan for the organization and the failure of backup files may place detrimental impacts of the company.