it540-unit3-teama-v.6
TRANSCRIPT
Team A 1
Running Head: IT540: TEAM A NETWORK PROJECT
IT 540: Team A Network Project
Subha Arunachalam, Josh Barrett,
Sherman Britton, and Tamara Fudge
Prof. Kenneth Flick
Kaplan University
Team A 2
Abstract
This document outlines the network infrastructure and security policy designed by Team A for
Pixel Inc., a small company that renders 3D images and video.
Team A 3
Table of Contents
Security Policy.................................................................................................................................4
Introduction..........................................................................................................................4
Purpose................................................................................................................................4
Organization Business Objectives.......................................................................................5
Roles and responsibilities....................................................................................................6
Security Enforcement..........................................................................................................7
Security Incident Response..................................................................................................8
Agreements with other Organizations Occurrence..............................................................8
Applications Used................................................................................................................9
Technical Security.............................................................................................................10
Identification of Sensitive Information..............................................................................11
Auditing Requirements......................................................................................................12
Business Continuity Plan...................................................................................................13
Backup and Recovery Plan................................................................................................13
Physical Security..............................................................................................................14
Appendix: The Network....................................................................................................15
References......................................................................................................................................17
Appendix: Division of Work.........................................................................................................20
Team A 4
IT540: Team A Network Project
Security Policy
Introduction
Pixel Inc. affirms a strong belief in information security. Though we are a small
organization our customer and business partners are international. A key element to our business
success is the flow and storage of information. Pixel has a large amount of information that flow
internally as well as external. A major part of this information travels electronically via local area
networking and the World Wide Web. Information is store in various ways including physical
filings and electronic storage. There is a substantial amount of financial investment in
network/computer hardware and various software platforms. Our employees, business partners
and clients all have varied degrees of electronic access to information on Pixel’s network.
Adverse management of this information can impacts the life, reputation and legal accountability
of the company, client’s, business partners and its associates (Buchanan, 2010).
Purpose
This policy is intended to take a common sense approach in outlining the methods,
procedures and tasks deemed necessary in the protection of information that is handled and
managed by this organization. This policy will give instructions on what measures to proactively
take to mitigate the risk of information loss, corruption, unauthorized disclosure, misuse, malice
attacks and other security breaches that could possibly disrupt or cripple the business (Buchanan,
2010). This would include but limited to addressing issues with:
Team A 5
Email Security
Network security
Proprietary equipment treatment
Anti- virus / anti-spyware solutions
Intrusion detection
File handling and classification
Password protection
Sever configuration
Backups
Employee Communications
Physical security
Reporting Structure
This policy shall serve as a living or dynamic document that may change as the need
arise. It should not only be taken as a set of rules but a document to create an awareness of
security being part of the job.
Organization Business Objectives
Pixel is a multimedia company where it profitability depends on the efficient delivery of
products and services to a worldwide customer. Moving the product requires the use of an
effective LAN, high speed internet and the need for confidentiality. Data information that
consists of e-mails, multi-media and general files are in a constant flow. Internal and external
flows of information are the life blood of the company. Information technology will continue to
play a major role in helping the company expand into the future. This company does not
Team A 6
subscribe to the “set it and forget it” attitude (PCIS Boon Box, 2009). So constant attention is
paid to how information technology can be better utilized and safe guarded to increase market
share.
Roles and responsibilities
All employees, contractors, vendors and staff will have the obligation to protect the
information, equipment, assets systems and infrastructure of the company. This would also
include the respect and protection of information of third party organization and individuals.
All employees will be responsible reporting any suspected breaches, incidence and
security short fall / potential short falls immediately to the reporting manager who will report it
to the security officer (See security Incidence response section).
All managerial and supervisory staff is responsible for promoting best practices
consistent with the standards set forth by the security officer
The Security Officer (SO) will report directly to the CEO and will have the support of the
CEO in implementing and enforcement of the Security Policy.
The Security Officer, managerial and supervisory staff will work in concert with each
other to assure that all employees are kept informed, trained, and updated on security policy as
they are considered dynamic.
The SO will be responsible for approvals, changes and review of access rights of each
employee with the assistance of the managerial staff.
The SO has ultimate responsibility for ensuring the information is adequately protected.
That includes risk analysis, execution of the security measures, updating /upgrading, and doing
Team A 7
the necessary auditing. The SO is expected to achieve the security objectives through standards
and best practice.
The SO will manage the people, time, equipment, software, education, access / access
authorization, and access to external sources of information and knowledge. This may require
delegation to the managerial staff and outsourcing (Murphy, 2010).
Additionally, Company-owned equipment, including but not limited to hardware such as
computers and peripherals, are for company business only, and not for personal use. The
Security Officer reports to the company CEO and will file logs, weekly reports, update notices,
and incident reports.
Security Enforcement
The SO will work with the managerial staff on enforcing the policy.
Compliance with the policy is a condition of employment.
All employees will be required to sign an acknowledgement of compliance to the policy
each year or when major impacting changes occur with the policy.
Failure to comply with the security policy may result in disciplinary action up to and
including dismissal of the violator. The responsible manager in charge and the SO will ultimately
determine the guide lines for the degree disciplinary action that is consistent and appropriate to
the situation (Verizon Corporation, 2001).
Additionally, All employees must complete an online course regarding company security
policies and successfully complete an online test to demonstrate their understanding of said
policies.
Team A 8
Security Incident Response
Pixel recognizes that though we strive for one hundred percent absolute security, there
are limitations. It is rare to have a system that is completely secure without having some
unknown vulnerabilities or occurrences. For this reason all employee must make a conscious
effort to report all issues no matter how small pertaining to information security breaches. The
SO and managers will work together to take all reasonable actions to investigate and assure that
business continuity is maintained or restored.
Employees must report incidence of virus, hacker intrusion, data theft, system destruction
or anything that is of detriment to information security. Notify the manager in your reporting
structure. Verbal reports must be followed up with a written incidence report. The SO will verify
the occurrence, take appropriate action for business continuity, assess and /or reduce the impact,
determine the nature of the incident and improve security to prevent future breaches. The
managers will consult with the SO and the legal consultant to determine how information will to
be communicated, to whom and if legal action is in order. The CEO should be notified as well as
the incidence report completed with the remedy (Incident Response Plan, n.d.).
Additionally, The Security Officer will file full incident reports to the office of the CEO
within 24 hours of both incidents and resolutions.
Agreements with other Organizations Occurrence
Pixel success sometime depends on the sharing of information with its affiliates and
business partners. In accordance with federal and state laws and regulations joint partnerships
may be entered into with the approval of the CEO and controlling managers. Proprietary
Network Information will be restricted to that which is vital to the areas under consideration will
Team A 9
be shared with joint partners with respect to products and services permitted by laws, regulations
and disclosure / nondisclosure agreements with third parties and the security policy.
The SO will be responsible for making sure the information required for any inter-
organization occurrence is classified and the proper measures are taken to partitioned access to
the network for these transactions (Verizon Corporation, 2001).
Applications Used
Various applications will be used in the network and are listed below along with security
measures.
Server applications. Microsoft Exchange Server 2010 (for the web) and Microsoft SQL
Server Enterprise (for the database) provides key management, Unicode data compression, and
transparent data encryption (SQL Server Enterprise, n.d.) and will allow for the handling of DNS
and DHCP, or Domain Name System and Dynamic Host Configuration Protocol, respectively
(Morimoto, Noel, Amaris, Abbate, & Weinhardt, 2010).
Additionally, Servers and desktop computers must run HIDS (Host-based Intrusion
Detection Software). This will enable integrity testing, alerts, log analysis, may be centrally
managed, and is designed to prevent attacks on the system (Intrusion Detection FAQ: What is a
Host Intrusion Detection System?, n.d.).
Operating Systems. The following operating systems for company computers have been
secured and include built-in file and print sharing: Mac OS X Lion for Apple Mac Pro desktops,
upgraded from Leopard; and Windows 7 for PCs, upgraded from Vista.
Productivity software. Microsoft Office Professional 2010 is employed, with Word,
Excel, PowerPoint, OneNote, Outlook (for email), Publisher, and Access (Compare Editions,
Team A 10
n.d.). Security features are already present in the Office suite, including alerts for ActiveX
controls, Macros, and other add-ins that may pose threats. Documents sent via the Internet are
placed in Protected View until the user determines the suitability of the document for editing and
use (Security in Microsoft Office 2010, n.d.). Security measures for Outlook email will include
password protection and aging.
Additionally, All PCs running Windows 7 must be protected by anti-virus, anti-malware,
and anti-spyware programs.
Render Farm Software. High-performing 64-bit Autodesk Maya 3D animation
software (Autodesk Maya, n.d.) will be used to begin building the company's own render farm.
Scenes will be stored and worked on remotely to avoid data loss and broken internal links
(Carroll, 2010).
Additional software. Browsers for Internet use may include Safari, Chrome, Firefox,
and/or Internet Explorer; all are free downloads. To protect against viruses and spyware, avast!
Security for Business is to be included on all desktops and laptops prior to employee use. In
addition, avast! contains file server, email server, end-point, and other protections, anti-spam,
and a firewall (avast! Security for Business, n.d.).
Technical Security
In addition to the items listed above in Applications, the following security measures
must be followed:
Password protection is required on all company equipment and network resources.
Passwords must be a minimum of 10 characters in length, and include at least three of the
following: capital letter, small case letter, number, and special character.
Team A 11
Passwords for all servers and desktop computers must be changed every 90 days. Due to
the rather small size of the company, this will be implemented with a Decentralized
Policy and Centralized Enforcement for easiest handling (Password Aging, n.d.).
Email will be secured by S/MIME, digital signatures for verification of senders, and
encryption so that attachments cannot be read by intruders (Weiss, 2010).
The email server will be set to reject messages that are not properly addressed by using a
550 code (Klensin, 2001).
FTP will be client-initiated, which facilitates connection handling at the firewall.
Encryption of the data connection will prevent one client from viewing files of another
client (Gromek, 2002).
Identification of Sensitive Information
The Information Sensitivity Policy is intended to help employees determine what
information can be disclosed to non-employees, as well as the relative sensitivity of information
that should not be disclosed outside of Organization without proper authorization.
The Sensitivity Guidelines below provides details on how to protect information at
varying sensitivity levels. Use these guidelines as a reference only, as Organization’s
confidential information in each column may necessitate more or less stringent measures of
protection depending upon the circumstances and the nature of the confidential information in
question.
Minimal Sensitivity: General corporate information; some personnel and technical
information and access are for employees, contractors, people with a business need to
know.
Team A 12
More Sensitive: Business, financial, technical, and most personnel information and
access to employees and non-employees with signed non-disclosure agreements who
have a business need to know.
Most Sensitive: Trade secrets & marketing, operational, personnel, financial, source
code, & technical information integral to the success of our company and access only for
those individuals organization’s employees and non-employees designated with approved
access and signed non-disclosure agreements (Audit Security Policy Templates, n.d.).
Auditing Requirements
This policy covers all computer and communication devices owned or operated by the
Organization. This policy also covers any computer and communications device that are present
on the premises, but which may not be owned or operated by the organization.
When requested, and for the purpose of performing an audit, consent to access needed
will be provided to members of Audit team. The organization hereby provides its consent to
allow of Audit team to access its networks and/or firewalls to the extent necessary to allow it to
perform the scans authorized in this agreement. Organization shall provide protocols,
addressing information, and network connections sufficient for Audit team to utilize the software
to perform network scanning.
This access may include:
User level and/or system level access to any computing or communications device
Access to information electronic, hardcopy, etc., and that may be produced, transmitted
or stored on organization’s equipment or premises
Access to work areas like labs, offices, cubicles, storage areas.
Team A 13
Access to interactively monitor and log traffic on organization’s networks (Audit
Security Policy Templates, n.d.).
Business Continuity Plan
Business Continuity Plan refers to the activities required to keep your organization
running during a period of displacement or interruption of normal operation. Business continuity
plan is a collection of procedures and information which is developed, compiled and maintained
in readiness for use in event of an emergency or disaster.
A business continuity plan is required as disaster might occur anytime and so the
organization needs to be prepared. This plan should cover the occurrence of the following
events:
Equipment failure
Disruption of power supply or telecommunication
Application failure or corruption of database
Human error, sabotage or strike (Introduction to Business Continuity Planning, 2002).
Backup and Recovery Plan
This policy is designed to protect data in the organization to be sure it is not lost and can
be recovered in the event of an equipment failure, intentional destruction of data, or disaster.
This policy applies to all equipment and data owned and operated by the organization.
Organizations must establish procedures and policies for backup and recovery of data.
Backups should be routinely monitored to ensure that recovery procedures are functional.
Detailed documentation of equipment and software necessary to restore organization’s resources
Team A 14
should be created. The equipment necessary to restore systems and data should be documented
improving the time and quality of purchasing decisions in the event of recovery needs. Backup
media and documentation should be stored both on and off-site at an organization’s approved
location. Given below are the definitions:
1. Backup - The saving of files onto magnetic tape or other offline mass storage media for
the purpose of preventing loss of data in the event of equipment failure or destruction.
2. Archive - The saving of old or unused files onto magnetic tape or other offline mass
storage media for the purpose of releasing on-line storage room.
3. Restore - The process of bringing off line storage data back from the offline media and
putting it on an online storage system such as a file server (Backup Policy, n.d.).
Additionally: To prevent catastrophic loss, offsite backup is required at a location with
access available to the Security Officer and two other designated full-time employees at any time
of day, seven days of the week, all year.
Additionally: Complete documentation of all server configurations must be maintained
by the Security Officer and made available in the event of a catastrophe to facilitate rebuilding
the system.
Physical Security
Physical security controls limits physical access to computer resources and protects them
from intentional or unintentional loss or impairment. Physical Security are divided as a)
Preventive controls attempt to avoid the happening of unwanted events and b) Detective controls
attempt to identify unwanted events after they have occurred. Preventive physical security
controls generally includes
Team A 15
Manual door or cipher key locks.
Magnetic door locks that require the use of electronic keycards
Biometric authentication
Security guards
Photo ID’s
Entry logs
Logs and authorization for removal and return of tapes and other storage
media to the library
Perimeter fences around sensitive buildings
Computer terminal locks (Nilsen, 2002).
Appendix: The Network
We have has designed a state of the art network for Pixel Designs. Cisco switches
provide superior connectivity and manageability services. Cisco blade servers provide ultimate
performance. Fiber is support for the entire network which will offer high-speed connectivity and
performance. Soho offers the best firewalls; two are installed for redundancy purposes.
The core switches will be two Cisco Nexus 5548 switches. The Cisco Nexus 5548 switch
offers Fibre Channel over Ethernet to reduce network complexity in the data center.
Connectivity options available are Gigabit, 10 Gigabit and FCoE (Cisco Nexus 5548P Switch,
n.d.). These switches will provide the flexibility needed by the company now and allow future
growth. Cisco Catalyst 2960 switches will provide connectivity to the client computers; each
switch has 48 ports for a total of 192 ports between the two closets. These switches support full
Team A 16
Power over Ethernet and a wide range of management services (Cisco Catalyst 2960 Series
Switches, n.d.).
Messaging is handled by the Atos messaging as a service appliance. The DS-3210 offers
top of the line messaging. This appliance will improve productivity and availability while
reducing IT costs (Atos Messaging as a Service, 2011).
The following figure shows the network.
Figure 1.The Network.
Team A 17
References
Atos Messaging as a Service. (2011). Retrieved December 15, 2011, from NetApp:
http://media.netapp.com/documents/DS-3210_0811_Atos_Messaging_as_a_Service.pdf
Audit Security Policy Templates. (n.d.). Retrieved December 14, 2011, from SANS Institute:
http://www.sans.org/security-resources/policies/audit.php
Autodesk Maya. (n.d.). Retrieved December 15, 2011, from Autodesk:
http://usa.autodesk.com/maya/features/
avast! Security for Business. (n.d.). Retrieved December 15, 2011, from avast!:
http://www.avast.com/en-us/business
Backup Policy. (n.d.). Retrieved December 14, 2011, from CompTechDoc:
http://www.comptechdoc.org/independent/security/policies/backup-policy.html
Buchanan, W. (2010, April 27). Information Security Best Practices for Small Businesses Part 1.
Retrieved December 15, 2011, from YouTube: http://www.youtube.com/watch?
v=L8Fg8M1vRUc
Carroll, J. K. (2010, March 19). Render Node Considerations. Retrieved December 15, 2011,
from Tom's Hardware: http://www.tomshardware.com/reviews/render-farm-node,2340-
4.html
Cisco Catalyst 2960 Series Switches. (n.d.). Retrieved December 15, 2011, from Cisco:
http://www.cisco.com/en/US/products/ps6406/index.html
Cisco Nexus 5548P Switch. (n.d.). Retrieved December 15, 2011, from Cisco:
http://www.cisco.com/en/US/products/ps11215/index.html
Team A 18
Compare Editions. (n.d.). Retrieved December 15, 2011, from Microsoft Store:
http://www.microsoftstore.com/store/msstore/html/pbPage.Office_Compare_Editions
Gromek, M. (2002, February 12). Securing FTP Authentication. Retrieved December 15, 2011,
from SANS Institute InfoSec Reading Room:
http://www.sans.org/reading_room/whitepapers/protocols/securing-ftp-
authentication_374
Incident Response Plan. (n.d.). Retrieved December 15, 2011, from CompTechDoc:
http://www.comptechdoc.org/independent/security/policies/incident-response-plan.html
Introduction to Business Continuity Planning. (2002). Retrieved December 14, 2011, from
SANS Institute InfoSec Reading Room:
http://www.sans.org/reading_room/whitepapers/recovery/introduction-business-
continuity-planning_559
Intrusion Detection FAQ: What is a Host Intrusion Detection System? (n.d.). Retrieved
December 15, 2011, from SANS Institute Security: http://www.sans.org/security-
resources/idfaq/what_is_hips.php
Klensin, J. e. (2001, April). Simple Mail Transfer Protocol. Retrieved December 15, 2011, from
IETF Network Working Group RFC 2821: http://www.ietf.org/rfc/rfc2821.txt
Morimoto, R., Noel, M., Amaris, C., Abbate, A., & Weinhardt, M. (2010). Microsoft Exchange
Server 2010 Unleashed. Pearson Education.
Murphy, M. (2010). Information Security Policy Statement. Retrieved December 10, 2011, from
University of Oxford: Childhood Cancer Research Group:
http://www.ccrg.ox.ac.uk/datasets/policystatement.htm
Team A 19
Nilsen, O. (2002, March 17). Protection of Information Assets. Retrieved December 17, 2011,
from SANS InfoSec Reading Room:
http://www.sans.org/reading_room/whitepapers/basics/protection-information-assets_594
Password Aging. (n.d.). Retrieved December 15, 2011, from Columbia University: UnixDev:
http://www.columbia.edu/acis/sy/unixdev/policy/password-aging.html
PCIS Boon Box. (2009, July 25). PCI DSS and Data Security Compliance p1. Retrieved
December 15, 2011, from YouTube: http://www.youtube.com/watch?v=qOwwJD17IH0
Security in Microsoft Office 2010. (n.d.). Retrieved December 15, 2011, from Microsoft Safety
& Security Center: http://www.microsoft.com/security/pc-security/office2010.aspx
SQL Server Enterprise. (n.d.). Retrieved December 15, 2011, from Microsoft Store:
http://www.microsoftstore.com/store/msstore/en_US/pd/productID.221628500/
categoryID.57613600/list.true
Verizon Corporation. (2001). Connecting Through Integrity. East Rutherford, New Jersey.
Weiss, A. (2010, October 27). Simple Steps to Securing Email with S/MIME . Retrieved
December 15, 2011, from eSecurity Planet:
http://www.esecurityplanet.com/views/article.php/3910181/Simple-Steps-to-Securing-
Email-with-SMIME.htm
Team A 20
Appendix: Division of Work
The following describes the fair division of work as we initially agreed upon, and as
evidenced in this paper:
Subha Arunachalam
Identification of Sensitive Information Auditing Requirements Business Continuity Plan Backup and Recovery Plan Physical Security
Josh Barrett
Network Description Network Diagram, created with Microsoft Visio
Sherman Britton
Introduction Purpose Organization Business Objectives Roles and Responsibilities Security Enforcement Security Incident Response Agreements with Other Organizations
Tamara Fudge
Applications Used Technical Security Incorporation of "Wee" items into sections written by others (noted by "Additionally") Compilation of all team members' work, APA compliance with in-text citations,
reference entries, and general document formatting