Computer systems at Panther Industries should contain advance processor, Ram with high speed bus and large capacity hard disks. All systems should have high speed local area network card to ensure quickly access to network resources. Wi-Fi connection should be provided to employees in order to connect from mobile devices. VPN connection should be installed to allow access to data server from any remote location. Latest version of Microsoft Windows 7 is needed to be installed on all PCs. Windows Server 2008 should be installed on servers for the security and access control. Windows 7 have best security features. A proxy server layer with security software should be used to restrict employees and outside threats. There is a valid reason for choosing this configuration which is that Panther Industries is a software provider company so it need more advance and strong secure systems in order to meet its core functionalities.
Strengths of our system
Windows server 2008 and windows 7 provide advanced security architecture to ensure security of data. Security policies of Windows Vista are more enhanced in Windows 7. These enhancement includes
- Users and Infrastructure Protection: Windows 7 provides flexible protection against all kind of malware and intrusions. User are able to get desired control, security and productivity.
- Secure Platform: Windows 7 has great security enhancements which responds to feedback of customer to make system more manageable and usable.
- Securing Anywhere Access: Windows 7 provides appropriate security controls for users as they can access the information they require to be productive, they are in the office or not, they need it.
Weaknesses in our Information system
Wi-Fi access by unauthorized device
As in today world Wi-Fi access is part of organizations, it reduces setup time and it is easy in accessibility for employees. All devices using Wi-Fi cannot brought into proxy server security by storing their physical address because these devices keep on changing as employees keep on changing their mobile devices, there is a trend of using mobile devices for email and other communications.
Extensive use by employees
We have allowed internet access through proxy server. Some employees might use internet to such extant by downloading huge size files which will result in slowing internet for other employees. This issue arises mostly when some employ are free and want to surf on internet to pass their time.
Ex-employees access to network
We have secure our network to stop any breach from outside without authentications but still if any employee resign while his Mac address and IP are stored in system, he will be able to access from outside. Ex-employee access is most dangerous breach to network as they can easily be authorized by servers by using old IP and account passwords.
Facing these issues
These issue could arise in any point of time but an effective approach can make us able to minimize the risks in these issues. We should follow these steps for troubleshooting.
Wi-Fi access
First of all a password need to be implemented for Wi-Fi access from anywhere in building or outside of office. All access through Wi-Fi should always be routed through proxy server which will verify authentication by verifying user ID and password of user and in case of successful login from a mobile device system should automatically generate an email to user of that account informing that your account is been access through a remote device. The message should also contain Mac address of device so that user can verify his own device. This could also be cater through a SMS sending service that could send an SMS with verification code so the user could verify its access through mobile device.
Extensive use of internet
All IPs should be mapped by an algorithm of average speed by software placed in proxy server layer so that in case an employee is using internet its speed will not affect others employee's work. If a user need urgently some files with huge size he should only be granted access to more speed just for specific time period after taking authorization from management.
Ex-employee access
As soon as any employee resign from company, his IP address and account should be blocked from that day and a temporary IP with limited access should be given to him which will be blocked on his last day in office. These IPs which are blocked due to resignation of employee must not be given immediately to any other employee. These Blocked IPs should be maintain by IT. In case if there is a savior need to use that IP then it should be masked with any system’s Mac address so that it could not be used from more than one place.
System Protection Options
In order to protect computer systems from both inside and outside attacks, our organization must focus on management control, operation control, technical controls and information access control.
Management Controls
Our company deal with the development of financial software and takes financial data from banks and other financial organizations, in case of unauthorized access to this data our company's future could be at stake. This means strong security is necessary for Company's viability. Our company need to updated network and its server by installing most advanced windows server 2008, windows 7 is needed to be installed at all PCs in the head office. Securing Windows Server will be first priority of the company, it should be secure and protected from unauthorized access. Access control to data and servers is divided as per designation of employees. Network administrator team should have access to all layers of network so that they can fix any issue on its first step. A log for all activities by administrator should be maintained in the system. Management should maintain a comprehensive and clear security policy with the help of IT, this policy should focus on employee’s requirement.
Operational Control
Internet security policy is implemented to avoid access to any miscellaneous website. In this policy a proxy server is installed with limited access to internet but email is allowed as employees use email to communicate. Proxy server is also used for VPN security as all links to internet pass through proxy server. This helps employees to access from remote place by a security check. All physical and IP address should be define in proxy server layer in order to allow network access to only systems of company. Security of documents is implemented by the help of encryption software. Another data server is deployed at head office which is separated from all servers and contains companies financial data this data server is not linked to internet as company do not want to risk data in this server at any cost. Company have strict policy for software installation, it allows only certain software installation on PCs and servers that are certified or recommended by Microsoft. Logs should be maintained as soon as employee log in into system, these log should save user login time, system physical address and authentic IP number. Security cameras should be installed in each floor which could help in identifying person responsible of any breach, employee using password of other employee.
Technical Controls
In Panther Industries the remote-access through VPN offer employees to access their company's intranet from home or while traveling. It allow employees in offices or distributed in various locations to share one consistent virtual network. Security of network can be at stake by using VPN access, we need to use proxy server layer for VPN authentication. Firewall rules should be implemented according to security requirement to prevent any breach. DNS and DHCP protocols are need to be implemented by the administrator team to have secure access to routers and IP. DNS servers can be used in the company to solve domain name for network containing resources. Whenever DHCP server go to registers or updates DNS address and a resource records is created on behalf of DHCP clients which helps to maintain integrity of system. This information contained an additional option for DHCP that it permits client to interact through its FQDN by any instructions to DHCP server. Latest and most popular antivirus is installed on server and on all PCs, it should be updated on regular basis to avoid any losses. Internet is a source of learning but it also effect companies operations, security and efficiency.
Access to user accounts could be secured using secure email services such as mail2web.com or login.secureserver.net which help employers to access employees email data, such services are more secure in term of security of email accounts. Data backup should be done on daily basis to avoid daily work loss so in case of any disaster this backup is stored and work is not lost for more than one day. Electricity backup is also provided by using UPS technology so that in case if electricity breakdown occurs all systems will be working as normally and there will be no data or information loss. Company have also internet connection from two internet providing companies one through land line and another through wireless system so in case any bad thing happens to land line, wireless connection can be used.
Information access control
Modern information systems are networked systems. These systems are managing information and multiple users accessing data for diverse purposes within or across organization. In our organization there should be a Role Based Access Control on information access. This is generally an effective way to secure data access because it will manage and implement full range of data access control policies which are based on multiple role hierarchies which is already placed in our organizations. Our organization should primarily focuses on using frameworks and algorithms to facilitate this role based data control and contextual access.
Risk mitigation strategies
Managing information systems risks is complex process it requires investments for organizational resources. A successful organizational structures is required for carrying out step by step information risk management strategies. The objective of the risk management program is to reduce risk for data and information that is critical to the organization while achieving business goals. The basic interactions for this are with line of business, finance, and legal teams. The I.T team must codify the results in terms of policy which will drive operational, quality and performance management decisions. Information security and management is owned by the I.T security team but it also interacts with primarily leverages operations and I.T. Results generated at this point contributes to the overall awareness that helps in guiding both the business and the information risk. Steps shown in the figure are required in the process of risk management in an organization.
This process start with the implementation of a data classification policy which describes processes used to identify, classify, secure, store, and monitor access to information. A process must be implemented to detect a potential data breach and carry out an incident response plan, process to inform affected parties after a discovery of a breach. Encrypt data before any transfer.
Developing a broader view of risk to the business allows the information risk management team to avoid acting narrowly which prevent any risk from breach. We should examine each of the steps to carry out the information risk management program for our company. The continuous nature of this process is illustrated in Figure.
Step 1. Assess Risk
The first step in the process involves identification and prioritization of risks to the business.
a. Plan data gathering. Identify key success factors and preparation guidance.
b. Gather risk data. Outline the data collection process and analysis
c. Prioritize risks Use qualitative and quantitative risk analysis to drive prioritization.
Step 2. Decision Analysis
The second step covers the processes for evaluating requirements, understanding possible solutions, selecting, estimating costs, and choosing the most effective mitigation strategy.
a. Define functional requirements to mitigate risks
b. Outline possible control solutions keep in mind that these include not only technical controls but people driven processes (e.g., separation of duties) and service level agreements
c. Estimate risk reduction. Understand the probability of risks.
d. Estimate solution cost. Reflect direct and indirect costs associated with mitigation solutions.
e. Choose mitigation strategy. Complete a cost- benefit analysis to identify the most effective mitigation solution.
Step 3. Security Policy Implementation
The third step addresses security policy implementation, the acquisition and deployment of controls to carry out the policy. Ensure that policy specification are enforceable. Apply a comprehensive approach that integrates process automation, people, and technology in the mitigation solution. Focus on defense in depth by coordinating application, system, data, and network controls to meet business objectives. Communicate policies and control responsibilities throughout the organization.
Step 4. Measure Effectiveness
The fourth step consists of developing and disseminating reports as well as providing management dashboard to understand program effectiveness. Develop and continuously update a management dashboard that summarizes the organization‘s risk profile. Report on changes under consideration and summarize changes that are underway. Communicate the effectiveness of the control solutions in mitigating risk. Report on the existing environment in terms of threats, vulnerabilities and risk profile.
As noted earlier a major element contributing to the success of an information risk management program for security of information system involve functional units throughout the organization. The information risk management team needs to take responsibility for educating the employees in this process, develop thorough understanding of risk that will allow the business to take specific action when managing it. An effective method to get this process underway is to view risk across four simple categories. This provides a straightforward way to clarify tradeoffs and make decisions.
Conclusion
Our organization’s information security management need major changes which are characterized by organized information management delivery systems, define information access roles, accountability and increasing consumer responsibilities. Advancement in information technology have led us to new types of information systems which are playing major role in reforming our life. Securing these system with data integrity and backup plan is required in every organization. Currently there are multiple threats to information systems in our organization which could be reduced through minimizing weakness in our systems by information access control, Information security risk management and data backup plans.
References
Ballad, B., Ballad, T., & Banks, E. (2010). Access Control, Authentication, and Public Key Infrastructure. Jones & Bartlett Publishers.
Bott, E., Siechert, C., & Stinson, C. (2011). Windows® 7 Inside Out, Deluxe Edition. O'Reilly Media, Inc.
Bragg. (2004). Network Security: The Complete Reference. Tata McGraw-Hill Education.
Carr, H. H., Snyder, A. C., & Bailey, N. B. (n.d.). The Management of Network Security. Pearson Education India.
Dhillon, G. (2001). Information security management. Idea Group Inc (IGI).
Eric, K. D. (2011). Industrial Network Security. Elsevier.
Kovacich, G. (2003). The Information Systems Security Officers Guide. Butterworth-Heinemann.
Magnusson, B. (1998). System Configuration Management. Springer.
Menoni, S., & Margottini, C. (2011). Inside Risk: A Strategy for Sustainable Risk Mitigation. Springer.
Paquet, C. (2009). Implementing Cisco IOS Network Security. Cisco Press.