Progress Document, Research Paper Example
Overview
The overview will highlight contents of this progress document. It will highlight the description of all the tasks included in this document. The summary will highlight the progress against the project plan that was delivered before this coursework. The revised risk analysis will be extended from the Unit 1 individual project. The project plan will also be revised according to the current progress of the project. Moreover, the technical documentation and a simple user guide will also be incorporated in this coursework. Furthermore, if necessary, the coursework will also be equipped with a basic maintenance guide.
Project Plan
| Milestone | Description | Date |
| Overview
|
Includes details of the project contents | |
| Revised Risk Analysis | Extended risk analysis including Risk treatment tables, security policy creation etc. | |
| Risk Treatment | Evaluating all risk of how to protect them from disrupting the network | |
| Creating Security Policy | In order to implement rules, creation of a security policy document | |
| Technical and non-Technical Information | Concerns related to technical and non technical information related to the network | |
| Identification of Components | The contributing of devices that may involve in network services | |
| Data Classification | Prioritizing critical information assets of an organization | |
| Evaluating Threats and Vulnerabilities | Illustrating different between these two terminologies |
Revised Risk Analysis
Before conducting risk assessment, core factors are considered. The identification of information assets is vital before conducting risk assessment. Information assets are defined as the entities that hold organization data. A good definition states it as, “information assets are specific to your business functions and business strategies, they may be contained within broad categories such as contractual and legislative compliance, those needing virus prevention, those critical to business recovery following security compromises, etc” (SANS: Glossary of security terms – I ). The information assets for an organization will be technology assets, data asset, service asset and people asset.
Risk analysis is done in order to analyze the threats, effects and vulnerabilities contributing to a system. To attain a certain level of requirement of ISO 27001, that is “a specification for an ISMS, an Information Security Management System” (ISO 27000 – an introduction to ISO 27001 / ISO27001), the following table Figure 1.1 explains the defined and observed methods of risk assessment.
| Asset Name | Risk Type (CIA Profile) | Likely-hood | Impact | Source | Description |
| Business Records | C:High
I:High A:Low |
High | High | Internal/
External |
Sales server gets hacked |
| Hard Disk Failure | C:Medium
I:Low A:Low |
High | High | External/
Internal |
On swapping hard disk from backup, the hard disk fails to run again. |
| Financial
Records |
C:High
I:High A:Low |
Low | High | Internal | Incorrect input data entry |
| Sales Records | C:High
I:High A:Low |
High | High | External/
Internal |
Sales server gets hacked |
| Email Records | C:High
I:High A:Medium |
High | High | External | Mail server gets hacked |
| Web Records | C:High
I:High A:Low |
High | High | External | Web server gets hacked |
| Database
Records |
C:High
I:High A:Low |
High | High | External | Database server gets hacked or corrupted |
| Database Records | C:High
I:High |
Low | High | Internal | Disable the Database server accidental |
| Web service | C:High
I:Low |
Medium | High | Internal | Use of proxy servers |
Figure 1.1– Risk Assessment
There would be certain team of people who would monitor to identify all the mentioned risks in Fig 1.1, also look for any security breaches or any other non-bakery member trying to perform any changes.
Risk Treatment
Total three risks have to be prevented. The table in Fig 1.2 shows risk treatment of threats and vulnerabilities related to a wireless and wired network.
| Asset Name | Location | Risk Summary | Control | Residual Risk |
| Business Records | Sales server | Sales server gets hacked | All data must be encrypted | Low |
| Hard Disk Failure | Any system/ server | Hard Disk stops working | Raid Configuration | Low |
| Financial
Records |
Sales server | Employee performs incorrect entry | Allow review changes | Low |
| Sales Records | Sales server | Sales server gets hacked | All data must be encrypted | Low |
| Email Records | Email server | Email server gets hacked | All data must be encrypted, all emails must be scanned through anti-virus and then allowed for download or disable attachments | Low |
| Web Records | Web server | Web server gets hacked | Use of a backup server located at remote place other than headquarters to kick in incase of any damage to the primary server | Low |
| Database
Records |
Sales server | Database gets hacked or corrupted | Back up the server at regular intervals as well as have a remote backup server | Low |
| Database Records | Sales server | Disable the database server accidental | Ask for permission to disable the server or to reconfirm the disable command | Low |
| Web service | Any system | Use of proxy server | Disable the use of different ports which would eventually block access to the internet other than the required domains or block proxy IP addresses | Low |
Figure 1.2 -Risk treatment
Analyzing Technical and Non Technical Information
An efficient risk assessment is based on current and detailed information of the radar satellite communication systems for the organization. Adequate information should be referenced in risk assessment to document methodical indulgent of these environments. Together technical and non-technical information gathering is required. The information may consists of technical statistics, strategic information related to battle plans along with network physical layouts detailing internal and external connectivity. Moreover, hardware and software, database containing mission critical data, processing arrangements and interfaces integrating with outbound objects, hardware and software configurations, access policies, standards and procedures for the operation, upgrades, maintenance and monitoring of the technical radar systems are also included.
Identification of Components
Risk assessment consists of identification of information systems that need to be protected including electronic systems, physical components that are utilized for transmission, usability, protection and organize information. The information provided by the information systems can be logical or digitized. The analysis of the global organization’s network includes a system classification and analysis of data on networks to monitor the security measures where appropriate. The inbound and outbound connectivity between different global networks, are essential to be identified for strict security compliance. The computing devices including portable computers, critical databases, tape drives, personal digital assistance, flash drives, media that is used in software development and testing should be identified.
For identifying components, it is important to understand how the network performs its day-to-day operations. For example, risk assessment needs to address employee activities of accessing data, transmission of information in response to request, how data is stored, transferred and deleted. The authorization and authentication is required for those employees, who receive both physical and logical form of data and how they represent the information for any purpose. The outsourcing strategy of the computer network also requires strict compliance and policies for identifying relevant data transmission to and from the computer networks. The architectural diagram and the related documentation should identity relationships with the service provider relationships
Data Classification
Data classification program needs to be established to identify and prioritize data, systems and applications in terms of highly significant. The classification program will also ensure consistent protection of information and mission critical data throughout the network. By prioritizing data, systems and applications, the risk analyst of the network will focus on the networks control and performance in an efficient manner. There is a requirement of classifying all the shared data along with their priorities. Classification should be based on a biased combination of all relevant attributes.
Evaluating Threats and Vulnerabilities
Organizations should evaluate potential threats and vulnerabilities for making the network protected. The evaluation is conducted to identify the severity of each information system, which deserves priority due to the value of data, which needs to be protected. Both threats and vulnerabilities need to be considered concurrently. A simple definition of threats is available on www.PcMag.com, which states as “The danger of an attack on a computer system.” Threats can provide damage to the confidentiality, availability and integrity of information present in the information systems. Whereas, vulnerabilities are defined as “A security exposure in an operating system or other system software or application software component.” (Vulnerabilities definition from PC magazine encyclopedia). Vulnerabilities can be distinguished as security loopholes in the system. If hackers find these loop holes in the system, result are devastating including unauthorized access, amendment or complete deletion of the system. A recent example is the hacking of wiki leaks website which impacted the whole world along with affecting strategic and economic relations between countries as various confidential documents were leaked out from the website. On “www.bbc.co.uk” news article illustrates as “Whistle-blowing website Wikileaks says it has come under attack from a computer-hacking operation, ahead of a release of secret US documents.” Vulnerabilities are successful due to policy weaknesses, inadequate implementation of security infrastructure, and information of personal issues. Testing of the security infrastructure including network components, hardware and software is essential for identifying any possible threats which may occur in the future.
Creating a Security Policy
It is defined as a set of rules, demonstrating who is authorized to access what on the network (What is security policy? definition and meaning). The security policy would enable an organization to follow a certain set of control policy that will give a type of broad idea of how the organization should function on a daily basis. Also after implementing of the rules, they need to be checked at a periodical basis in order to keep up with the latest threats and vulnerabilities. The following are the guidelines to control the security policy of the organization:
- All data must be regarded as confidential and should be controlled using access rights.
- Any unauthorized software to be found using would be remove with due effect.
- Internet access should be restricted to selected authorized personals only.
- Use of certain ports and proxy must be restricted to certain authorized people only, which would help in identifying the individual if any damage or illegal activity is monitored.
- Passwords of a person’s profile must contain at least 8 to 15 characters with minimum of one capital character, one special character and one number.
- Passwords must be changed within duration of 3 months without repeating the previous ones.
- All the workstations must have an anti-virus and firewall system installed to protect from any software or network attack
- The workstation will have write protection enabled and would not allow any executables to run except for the required software.
- There must be a black list created for any IP addresses from external source to be logged and blocked if found trying to scan, penetrate or exploit the network.
- System administrator must perform all the installation and maintenance of the workstation only.
- If any problem is faced in the network, workstation or servers, a note must be taken and the risk treatment plan appropriate for that problem must be started.
- All kinds of removable media must be disabled to increase the security and to prevent any unwanted software (viruses, spyware) to be installed on the local system jeopardizing the entire network’s security.
- The open wireless bridge must be closely monitored in order to stop any malicious activity and prevent any risk to the organization’s network security.
- Each staff needs to be acquainted with the Security Policy and should keep in mind if any inappropriate activity is triggered, would lead to severe penalties.
References
Threat definition from PC magazine encyclopedia Retrieved 12/13/2010, 2010, from http://www.pcmag.com/encyclopedia_term/0,2542,t=threat&i=52859,00.asp
Vulnerability definition from PC magazine encyclopedia Retrieved 12/13/2010, 2010, from http://www.pcmag.com/encyclopedia_term/0,2542,t=vulnerability&i=54160,00.asp
BBC news – wikileaks ‘hacked ahead of secret US document release’ Retrieved 12/13/2010, 2010, from http://www.bbc.co.uk/news/world-us-canada-11858637
ISO 27000 – an introduction to ISO 27001 / ISO27001 Retrieved 6/23/2011, 2011, from http://www.27000.org/iso-27001.htm
SANS: Glossary of security terms – I Retrieved 6/23/2011, 2011, from http://www.sans.org/security-resources/glossary-of-terms/i
What is security policy? definition and meaning Retrieved 6/23/2011, 2011, from http://www.businessdictionary.com/definition/security-policy.html
Messenger
Live chat
Time is precious
don’t waste it!
Plagiarism-free
guarantee
Privacy
guarantee
Secure
checkout
Money back
guarantee
