Final Project: Creation of a Security Policy
Based on your consulting work over the last 15 weeks for Joe’s Emporium, you have earned enough confidence from Joe that he wishes to enlist your aid in creating a security policy for his company. In order to accomplish this goal, he has provided you with the following information:
Network Setup Manufacturing: 20 Windows XP computers connected to a centralized Windows 2003 server containing plans for the various proprietary furniture designs created by Joe’s Emporium.
5 Windows XP computers connected to the same centralized server as manufacturing, containing various administrative, financial, human resource, and strategic business files. The central server also provides authentication services for all the computers through use of Active Directory.
A UNIX‐based server used to house the company website, e‐commerce applications, and email. The server is currently being “protected” by a software‐based firewall installed on the web server. Additionally, all Internet access from the internal computers is channeled through this server.
A wireless router has been installed to allow executive staff to use their laptops without having to physically connect to the network. The laptops are all running Vista. Organizational Structure
Joe’s Emporium is a relatively flat organization, with the following groups: Executive: Comprised of Joe as the President, a COO, and VP’s of Marketing, Finance, and Human Resources. Administrative: This group is comprised of HR personnel and administrative staff for Joe and the VPs. Operations: This group is comprised of the shift managers that oversee manufacturing. There is also an IT person who oversees maintenance of the computer systems. Manufacturing: This group is comprised of the employees – including the previously incarcerated personnel Joe hires as part of the community reintegration program – who manufacture and ship the products created by the company.
Physical Infrastructure Joe’s Emporium is located in one of Gotham’s secluded business parks, and is housed in a single building containing all operations. Primary access is through the front, with a door to the left leading to the administrative and executive offices, and a door to the right leading to the manufacturing floor. Both doors are normally unlocked, and the entrance door is locked at night when the administrative staff leaves for the day. There is a loading dock in the rear of the manufacturing floor, which is accessible 24/7, as Joe runs a continuous operation. Workers on the Evening and Midnight shifts access the building through the loading dock after the front door is locked. There is no video surveillance, and police protection is available through normal channels (e.g., 911). The network infrastructure is secured as follows: The centralized server is located in a server room located off the administrative offices, which is unlocked during the day because this is where the administrative printers and copier are located, as well as the IT person’s “workshop”. Joe, his administrative assistant, and the IT person have keys to the server room, which is supposed to be locked by the last person to leave the administrative offices for the day. Cables are routed through the overhead to the various workstations via cable drops in the walls. Administrative employees are encouraged to shut down their workstations when they leave for the day, but this is not strictly enforced. The manufacturing computers run 24/7 to support manufacturing activities. The manufacturing staff is required to log out/in during shift changes, but, again, this is not strictly enforced.
Because of the various discussions you have had with Joe over the last few weeks, he is beginning to suspect that he doesn’t have to most secure operation. Therefore, he wants you to do the following: 1.Using the “Security Policy Roadmap – Process for Creating Security Policies” as a guide, he would like you to conduct a threat assessment in accordance with section 4 of the guide. For clarity, he would like to see the analysis summarized in a table, similar to that in section 4.3. This analysis should include both logical and physical threats to the IT infrastructure.
2.Using the above analysis, he would like you to propose logical and physical controls, including possible infrastructure changes, to improve the security of the IT infrastructure. So that spending is appropriate, your recommendations should be justified and relevant to the needs of Joe’s business (i.e., don’t recommend Fort Knox‐level security if you don’t think he needs it).
3.He would like you to define access privileges for each of the organization’s groups, based on the provided information. Include in your definition the need for a dedicated security resource(s) and level (coordinator, director, VP), with justification. 4.Finally, he would like you to draft a basic training plan for training the employees on basic security and the security policy. Joe would like to see your response returned in an 8‐12 page APA report, with coversheet and table of contents. Upload your report to the Final Project drop box when you are complete.