Security Management Plan, Research Paper Example

Project Outline

The organization chosen for this comprehensive security management plan is Em’s Bakery Ltd., which is a franchise of bakeries that operates several stores throughout areas across the nation. The franchise is dependent on an IT system which is used to store data in real-time for the purposes of evaluation and reporting. This data is synchronized daily and backed up to a server file which holds all of the financial data related to products sold, daily sales, current inventory, and other such matters in each of the stores. The main source of communication, internal or external, is handled via emails which are backed up to the main email server located at the head office as well. This security management plan is needed in order to ensure the privacy of information pertaining to financials, sales promotions, and other such business related services due to the fact information can be accessed by almost anyone.

Security Requirements

The security requirements section will be composed of a corporate organizational chart and a comprehensive detailed security plan that will benefit employees and managers.

Corporate Organization Chart

The diagram below is a depiction of the organizational structure of Em’s Bakery Ltd.

Security Business Requirements

The next section will describe CMMI (Capability Maturity Model Integration) as well as identify and describe the process areas (PA) for my chosen organization. The PA will include the goals and practices, both generic and specific.

CMMI

The CMMI, or Capability Maturity Model Integration, is a technology-defined business process that is an integral part of present day organizations and provides quite beneficial. The system implicates the effective use of various procedures that will improve company performance through the aid of modern technology. Along with the development of these procedures, CMMI tries to create a basic guideline that will define the strengths and weaknesses of the organization as a whole. The CMMI approach is based on the everyday operations it undergoes and the management of personnel involved in each of those operations. It also takes into consideration the progress indicators which are based on the adjustments and changes that help establish good foundations for the business (CMMI, 2012).

In the case of Em’s Bakery LTD, it could be realized that synchronizing data between outlets of the business, which are scattered in various areas, is necessary. Relatively, the capacity of the central management to oversee the situations in each outlet  with  a real-time basis of report ought to create a more dependable and reliable system that would make it easier for the administrators to monitor progress and watch out for possible uncanny conditions that need immediate addressing. This, however, can only be accomplished through the reflective adjustment of the organizational set up and the responsive cooperation from the people involved in the process. Along with this, it is expected that an improved IT system could create an easier path for all the individuals involved to follow.

PA of the CMMI

Given that the condition of the organization being attended to includes several issues of security breach and organizational arrangement dilemma, the process area of CMMI that was chosen for implementation in accordance with Em’s Bakery Ltd’s case is that of the Project Monitoring and Control. Notably, such an approach is expected to create a definite condition on how the current IT system application and operation of the organization could be redesigned and refurnished to meet with the current requirements of the organization itself.

The current status of Em’s Bakery Ltd is currently dependent on an IT system that is able to record and store data that is encoded in different workstations sent and stored within the main servers of each outlet which are later on passed on to the main office for real-time evaluation and reporting. Notably, the system is expected to operate in line with the desire to keep real-time data that would help the administrators see the progress of the business as well as monitor the condition of each outlet as they contribute to the increase of sales of the organization as whole. Relatively, these digits or data are expected to provide better understanding on the part of the administrators as they create future-directed decisions that are designed to improve the operational system of the business based on each outlet’s performance.

One problem about this particular matter is that the current IT system operating in the organization is not completely secured, nor is it specifically mandated to be used solely by authorized personnel in the business. As a matter of fact, the hierarchy of operators in the data storage system has not been clearly defined, making it harder to pin point who has the actual authority to access specific areas of the data storage. This fact jeopardizes the expected performance that the IT operation is supposed to handle for the sake of the development of the organization.

Since the data stored in the system is more related to sales reports, returns and revenues, it is very crucial that everything is secured especially when it comes to the confidentiality of the record kept in storage. Another matter of concern is the fact that since the data is shared through the internet, there is a possibility that malicious hackers from outside the hierarchy of organizational command would be able to access the data stored due to Wi-Fi connections that the outlets offer to customers. This danger presents a specific identification of the weakness of the current IT system and even furthers the need for implementing effective security-directed operations that would improve the current IT systems used by the organization.

The process area concentrated on Project Monitoring and Control or PMC helps a lot in this matter. Notably, PMC intends to make a distinctive approach in creating a specific pattern for the organization to follow especially when it comes to hierarchical monitoring in relation to who is supposed to be authorized to access specific data in the system. This approach to improving business operations in relation to the utilization of the IT data control storage hopes to make a distinction on who and how the system is supposed to be used based on the daily activities that the organization is engaging with.

Objectives of the PMC

In relation to this, the objectives of the PMC [PA] application for the business operation of Ems Bakery Ltd could be noted as follows:

• To improve hierarchical arrangement of the personnel working in the organization as a whole and the individuals working within the outlets of the business
• To make a distinctive policy on who is authorized to access particular data from the IT system records
• To establish a firewall that would secure data from foreign intruders
• To make it easier for real-time and accurate data-sharing to occur between outlets and the main office of the business for administrational purposes

These objectives should define the backbone of the operation as it strives to make a distinctive change in the manner by which each outlet is managed and directed towards generating higher sales reports. Along with this, it also hopes to create a reliable source of information that the entire organization could use in order to establish relative improvements for the future.

Security Policy

Introduction

Although there has been an increase in network and data center security with the most up-to-date and technologically advanced security modules, there is still the potential for breaches in network security.  Criminals and other people with malicious cyber intent are currently exploring and creating new ways to bypass security software in order to gain access to classified material such as banking information, personal data, competitor’s intellectual property or other information that may provide them with advantages.  This information is gained by taking advantage of potential weaknesses in the security system via physical or opportunistic methods.  These breaches could result in the loss of critical information or loss of a competitive business advantage, both of which could negatively impact the company as a whole.

Purpose

Accordingly, information or data is vital for organizations. They need to protect their data from competitors, hackers, cyber criminals and other unknown problems (Calder, 2008). The following are highlights of an ISO 27001 compliant information security management system (ISMS) for a chain of EM’s bakeries, in order to implement a standard to ensure confidentiality, availability, and integrity of data.

The scope for ISMS is defined in ISO 27001 as “An information security management system (ISMS) includes all of the structures, procedures, resources, practices, roles, plans, responsibilities, processes, and policies that will be used to preserve and safe guard preserve Data. It includes the entire element that company’s use to supervise and direct their risk of information security hazard (Calder, 2008). An ISMS is part of a larger management system and can be implemented in one or more than one department. There are identified issues, related to mismanagement of network, data, assets, and database security. The data is synchronized on a daily basis from each outlet of Em’s bakery to the file server. The Sales server is the most crucial as far as both clients and organization is concerned, as it contains all the financial data related to daily sales, products sold, etc. The outlets are connected to the head office via virtual private network. Coordination of each employee, whether the internal staff or the sales outlet staff, is conducted by emails relayed from the email server located at the head office (Calder, 2009).

The ISMS is applicable in the head office servers for ensuring data security. The reason for implementing ISMS on the servers is that both the organization and clients are accessing information from these servers. If any threat or security breach is triggered on these servers, both clients and the customers will suffer. The current scope does not protect the overall network. Moreover, the servers are vulnerable due to not having protection between the workstations and the wireless connectivity. In order to protect these servers from threats and vulnerabilities, deployment of a firewall is required.

General Business Requirements

• If the sales server stops responding or suffers from a hardware or software failure, the sales outlets of Em’s bakery will not be able to send sales data to the servers. The sales process will be halted, as the system will not process any data from these outlets. On the other hand, the customer connected to Wi-Fi will not be able to access services related to Em’s bakery sales. As there is no backup available for the sales server, it is very critical.
• It is possible for any employee to gain access of the sales server in order to amend sales figures related to any particular sales outlets. This is possible because no firewall rules are defined and no access mechanisms are set for each employee. Furthermore, a hacker may intrude in the sales server and extract all the sales figures of Em’s bakery. The hacker can then sell this information to the competitors, as they will be delighted to know which product is on the top of the list. This is the most critical issue as data leakage is not acceptable at any level.
• An employee can amend sales figures before sending them to the sales server, resulting in a revenue loss for the bakery. A hacker may also disrupt the transmission of data, from the sales outlets to the ‘sales server’ located at the head office. This issue is under control, as the transmission between the sales outlets and the head office are encrypted due to VPN deployment.

The security policy would enable the Em’s Bakeries Ltd. to pursue a definite set of regulated guidelines which will give a type of expansive proposal of how the company should operate on an everyday basis. After putting in place certain rules, they should be checked in a timely manner in order to stay on top of the latest vulnerabilities and threats. The following subsequent procedures are guidelines to control the security principle of the organization (Commerce, 2007):

• All data must be identified as confidential and should be managed by using access rights.
• Any unauthorized software found on the system would be deleted with due effect.
• Internet access should only be granted, to selected authorized personnel only.
• Access of certain ports and proxy must be granted to certain authorized people only, which would help in identifying the individual if any damage or illegal activity is monitored.
• Passwords of profile of each employee must contain at least 8 to 15 characters with minimum of one capital character, one special character and one number.
• Passwords will expire within duration of 3 months without repeating the previous password credentials.
• Mandatory that all workstations have an anti-virus and firewall system installed and operational.
• The workstation will have write protection enabled and would not allow any executable programs to run except for the required software.
• There must be a black list created for any IP addresses from external source to be logged and blocked if found trying to scan, penetrate or exploit the network.
• All the installation and maintenance of the workstation must be performed by system administrator only.
• If any problem is faced in the network or workstation or servers, a note must be taken and the risk treatment plan appropriate for that problem must be started.
• All kinds of removable media must be disabled to increase the security and to prevent any unwanted software (viruses, spyware) to be installed on the local system jeopardizing the entire network’s security.
• The open wireless bridge must be closely monitored in order to stop any malicious activity and prevent any risk to the organization’s network security.
• Each and every staff needs to be acquainted with the Security Policy and should keep in mind if any inappropriate activity is triggered, would lead to severe penalties.

Security Business Requirements

The basic requirements for the business’s security have been outlined in the previous section.  In order to achieve these objectives, it must first be fully understood where the company’s current security levels are in regard to maturity level.  The Capability Maturity Model Integration, or CMMI, utilizes a process improvement method to iteratively increase the maturity of specific functions or systems within an organization.  The CMMI follows a stair step approach with five individual and distinct levels of maturity as they progress.

The levels are initial, managed, defined, quantitatively managed, and optimized.  Each level has distinct goals and objectives to meet prior to reaching the next level ultimately pushing the system into the optimized position for future process improvement.  Each organization could be appraised to receive a level of CMMI and from that appraisal a maturity rating of 1-5 is awarded.  The lowest possible level is the initial phase.  In this phase, the processes are unpredictable and each section has little if any control on the process.  Another key aspect of the initial phase lies in the fact that all of the precautions and solutions generated by the company are reactive and become “fire drills” to quickly mitigate the issue at hand.  While the CMMI appraisal does not guarantee solutions to the issues, it does provide a framework for solutions to be created.  There are specific process areas that are associated with the type of CMMI that is being performed (Zimmie, 2004).  The process areas are the areas that are covered within the organization’s processes.

For Em’s Bakery to achieve the next level of CMMI, it must possess a specific level of maturity in multiple process areas.  Within those specific process areas, the process most important to the security requirements falls within the purview of project monitoring and control (PMC).  Under the project monitoring and controlling process area, the business can establish the framework for project management methodology to implement the multiple projects that it will need to complete the outlined business requirements.  The project management methodology will help ensure the successful implementation of the security requirements while also pushing the business into a more rigorous and structured business model (PMI, 2008).  The PMC area will ensure progress is monitored and schedules are adhered to throughout the project lifecycle.

Transforming a company from a CMMI level 1 to level 2 requires the structure and standard operating procedures of a best-practices framework (Chrissis, Konrad, and Shrum, 2011).  There are specific and generic goals associated with PMC.  The generic goals include building the organization framework and business processes to promote and accept the process changes while also building an institutionalized vision of what the corporation will look like and behave after the implementation.  These actions include defining certain processes, identifying the stakeholders, assigning accountable and responsible parties, and implementing evaluation techniques for the process.

The specific goals include monitoring the achieve actions versus the plan.  This boils down to project management including project risks, schedule, performance, stakeholder analysis, performance reviews, and project status.  The specific goals for implementation include building the ability to take corrective action as well as manage the action to fruition.  In regard to the security requirements implementation, the PMC’s generic and specific goals allow for the project management controls to evaluate the projects process as well as take the necessary actions to correct the course and successfully implement the project.

As previously mentioned, the first step to consider is to arrange the hierarchical arrangement of the personnel running the organization as well as each of the outlets of the business. From the Chief Operating Officer, to the store managers, to department supervisors and the staff members who are directly working on the workstations, each of these individuals should have a well-defined and outlined role in accessing the data of the IT system. Having such an outline provides each individual involved with the right capacity to know how and what they are supposed to do with the data that they are allowed to manipulate.

Some of the policies that could be implemented in line with this consideration are as follows:

1. Administrational personnel (including store managers as well as department supervisors) are to be given specific bar-coded cards that are to serve as pass to the sales revenue report that are kept in the IT system’s data storage.
2. Staff members working on the working stations or the POS [Point of Sale] machines are to be given passwords that would allow them to enter data in the system during their designated shifts. In case changes or cancellations on orders from customers should be made, the supervisors are the only ones who are allowed to void the encoded data to refresh the display and the storage from the errors.
3. When it comes to the overall report, only the ones in the administration offices are allowed to see and evaluate the data. To access such information, each of the administrators is to be provided with a unique password and username for data access privileges.

When it comes to the issue of handling foreign breach possibilities, establishing a firewall from outside networks should be pursued. This could only be done through creating an encrypted network wall for the data system hence protecting it from any possible intruders from other networks in the internet. Permission passes should be imposed in the system prompting new comers to the system to provide necessary data that would prove that they are not intruders into the system. Nevertheless, the stage-by-stage security encryption of each of the levels of information stored in the system would strengthen the privacy capacities of the system directly. References

Calder, A., 2009. Implementing information security based on ISO 27001/ISO 27002 (best practice) Van Haren Publishing.

Calder, A., 2008. ISO27001/ISO27002: A pocket guide IT Governance Publishing.

Chrissis, M, Konrad, M., and Shrum, S., 2011. CMMI: guidelines for process integration and product improvement. Addison-Wesley Professional. CMMI Overview. http://www.sei.cmu.edu/cmmi/. (Retrieved on September 10, 2012).

Commerce, O. G. C. O. G. (2007). Service design Stationery Office.

Project Management Institute, P. M. 2008. A guide to the project management body of  knowledge. (4th ed.). Newtown Square: Project Management Inst.

Zimmie, K., 2004. Secure and mature: combining CMMI SCAMPI with an ISO/IEC 21827(SSE-CMM) appraisal. Retrieved from http://www.sei.cmu.edu/library/assets/zimmie-secure.pdf