Security Plan For Longfellows Wine Group Information Technology Essay Paper

Published: 2021-09-12 15:00:09
essay essay

Category: Computer Science

Type of paper: Essay

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Hey! We can write a custom essay for you.

All possible types of assignments. Written by academics

GET MY ESSAY
With the duty for the private informations of 1000s of clients, its no admiration that Longfellows group counts information security as one of its top precedences.
The end of Longfellows security plan is to implement cost effectual countermeasures that mitigate the exposures that will most likely lead to loss. This paper discusses the menaces which put Longfellows most at hazard of loss and the controls which they employ to countermeasure those menaces.
A elaborate security policy is discussed, sketching single duties, security processs and catastrophe recovery programs. This paper besides makes future recommendations as to how Longfellows could break increase the security of their systems into the hereafter.
Executive Summary: 2
1. Introduction 4
2. Organisation Description 4
Comprises of Longfellows Insurance Brokers, Longfellows Wine Export Pty Ltd, Winefellows Pty ltd, and Longfellows Shanghai Trading Pty Ltd. Presently they have 5 full clip employees in the Melbourne Office with two authorised representatives for the insurance securities firm – one in QLD and one in NSW. The Melbourne office comprises of our chief / manager, Senior Insurance agent, Support Marketing and Administration trough, bookkeeper and Wine Export Logistics and China liaison. 4
There is eight staff in the Shanghai office including the Shanghai manager wholly related to gross revenues and disposal of wine exports into China from Australia. 4
. 4
2.1 Current Networked System 4
2.2 Organisational Chart 5
3 Security Policy 6
3.1 Security Goals 6
3.1.1 Duties of the Principle Director 6
3.1.2 Duties of the Operations Manager 7
3.1.3 Duties of the Marketing Officer 7
3.1.4 Duties of the Financial Controller 8
3.1.5 Duties of the IT Manager 9
3.2 Duties for Goals 9
3.3 Committedness to Security. 10
4. Current Security Status 10
4.1 Accidents and Catastrophes 10
4.1.1 Threats and Controls 10
4.1.2 Data Analysis 11
4.1.3 Cost Effectiveness of Controls 11
4.2 Data Attacks 12
4.2.1 Threats and Controls 12
4.2.2 Data Analysis 12
4.2.3 Cost Effectiveness of Controls 13
5. Decisions 13
6. Recommendations 14
6.1 Internal & A ; External menaces 14
6.1.1 Threats and Controls 14
6.1.2 Data Analysis 14
6.1.3 Cost Effectiveness of Controls 15
7. Execution of recommended controls 15
7.1 Timetabling 15
7.2 Responsibility 15
7.3 Schedule for Review of Security and Control Items 16
Mentions 17
18
Appendix B 19
Appendix C 22

1. Introduction
With the of all time increasing menace from virus, spyware, hackers and individuality offense the demand for secure calculating informations and equipment has reached new degrees in the modern age.
Every administration and computing machine user knows all to well the harm malicious package can make to a computer science system, with that in head, major Information technology companies have develop ways to battle against these menaces and most employ more than one technique.
Longfellows is Insurance company which offers securities firm and policies to concern and single clients likewise. Longfellows understands the demand to protect client ‘s personal informations utilizing the best industry patterns and equipment available.
Henry wadsworth longfellows do n’t officially hold a security policy in relation to its calculating system but do hold one in topographic point for their employees. This papers will assist to sketch that policy and place the duties of all users.
This papers chief focal point is to place those menaces probably to do failure or loss to Longfellows calculating systems and to seek to quantify those menaces and set up the cost of the controls to decrease those menaces.
2. Administration Description
Comprises of Longfellows Insurance Brokers, Longfellows Wine Export Pty Ltd, Winefellows Pty ltd, and Longfellows Shanghai Trading Pty Ltd. Presently they have 5 full clip employees in the Melbourne Office with two authorised representatives for the insurance securities firm – one in QLD and one in NSW. The Melbourne office comprises of our chief / manager, Senior Insurance agent, Support Marketing and Administration trough, bookkeeper and Wine Export Logistics and China affair.
There is eight staff in the Shanghai office including the Shanghai manager wholly related to gross revenues and disposal of wine exports into China from Australia.
.
2.1 Current Networked System
Desktops: They presently have 10 Desktop machines in the Melbourne office with two of these moving as waiters and two of these are run on a splitter for the disposal manger/ selling.
Laptop computing machines: Two laptops in Melbourne office for manager and senior agent and authorized reps have a lap top each.
Printers: Three – One coloring material bubble jet / Two Black and white optical masers.
Waiters: One waiter runs HPML 10 Windowss Microsoft windows little concern waiter 2003 R2 and other one runs HP ML 10 Windows 2003 R2
Internet connexion: Speed is ADSL 2 plus provided by TPG cyberspace
2.2 Organisational Chart
George Zaal
Director
Kellie Rose
Administration/ Marketing Insurance & A ; Wine Export
Alex Jenner
Operation Manager Insurance
Lee Yan
Logisticss and Supply Office for vino export
Spirio Bombos
IT Manager
Johanna Garry
Histories Insurance and Wine Export
3 Security Policy
3.1 Security Goals
3.1.1 Duties of the Principle Director
Longfellows rule manager assures the security of all calculating assets processed internally or externally. ( Caelli, 1991 ) . This duty entails the execution of equal safe guards, including physical, administrative and proficient, to protect personal proprietorship and other sensitive informations, which may shack within the company ‘s legal power. Giving consideration to Longfellows bing security patterns and past jobs a proficient security plan should incorporate at least the followers:
Assign exclusive duty of all hardware and package installings to Spirio or to those who may win his place.
Keep a showing and interview procedures for all those who operate or maintain computing machine systems with sensitive company informations. Levels of showing should be performed by the appropriate degree of direction with equal accomplishments to judge campaigners for the function.
Specify a control procedure, implemented by appropriate direction to guarantee all new computing machine applications and alterations are physically and technically safe from failure, if informations is peculiarly sensitive so at a lower limit a bomber set of constabularies and duties should be included.
Approve all application alterations prior to installing of the application and guarantee the person responsible for the security of the application has appropriate blessing.
Review and look into all application proving, to see if the application meets approved security specifications. Upon completion of proving, a alteration of the consequences should be documented. Any interested parties should site the papers, there by admiting the application performs harmonizing to the trial process and meets the security policy.
Longfellows rule manager and IT director will carry on and sporadically supervise the security precautions of sensitive application informations. Any amendments shall be documented and organised as portion of security paperss. Monitoring of system applications will be determined at appropriate intervals by direction and IT director.
Any procurance of new hardware, package or other calculating peripherals are to be reviewed to guarantee they run into appropriate security demands and they conform to bing security constabularies.
Assign duty to the IT director to carry on a hazard analysis of each computing machine installing. The hazard analysis should specify any possible failing with each constituent and aid cut down loss of sensitive informations in a ruinous event. An analysis should be performed whenever a new piece of equipment is introduced into the system, prior to blessing by direction and at periodic intervals non transcending longer than three old ages.
Assign duties to guarantee the appropriate eventuality programs are topographic point to cover with a information loss event or equipment failure. These programs should detail the appropriate action/s and responsible parties in order to the return services. Plans should be reviewed when there are alterations to the system or the resulting losingss are increased.
3.1.2 Duties of the Operations Manager
The operations director Alex Jenner ( current ) or predecessors shall help the manager and IT Manager in keeping the unity and security of all insurance informations and client contact inside informations.
The operations director should adhere to current security policies and guarantee all personal and properness insurance informations is secure from failure.
Should guarantee that equal cheques are performed before leting persons to come in or modify sensitive informations.
Should guarantee in the event of failure that information is recoverable and that losingss are keep to a lower limit.
3.1.3 Duties of the Marketing Officer
The Marketing director Kellie Rose ( current ) or predecessors shall help the manager and IT Manager in keeping the unity and security of all selling informations and email contact inside informations.
The selling director should adhere to current security policies and guarantee all personal and properness selling informations is secure from failure.
Should guarantee that equal cheques are performed before leting persons to come in or modify sensitive informations.
Should guarantee in the event of failure that information is recoverable and that losingss are keep to a lower limit.
3.1.4 Duties of the Financial Controller
The fiscal accountant Johanna Garry ( current ) or predecessors shall help the manager and IT Manager in keeping the unity and security of all fiscal informations.
The fiscal accountant should adhere to current security policies and guarantee all personal and properness insurance informations is secure from failure.
Should guarantee that equal cheques are performed before leting persons to come in or modify sensitive informations.
Should guarantee in the event of failure that information is recoverable and that losingss are keep to a lower limit.
3.1.5 Duties of the IT Manager
The IT director, with the blessing and way, of the rule manager shall:
Issue and enforce security constabularies in line with the companies legal demands company criterions and industry best pattern for implementing calculating security.
Ensure any purchase of new calculating equipment, whether package or hardware fitting current security policies
Monitor and supply appropriate installations to house calculating equipment, so that ruinous events are minimised and unauthorized entry to sensitive calculating equipment is prevented.
Ensure all calculating users are cognizant of system security steps and to react in instances of system failure.
Conduct and reappraisal package and hardware system before and after their debut to the system. The reappraisal procedure must be documented and approved by appropriate direction.
3.2 Duties for Goals
Position
Incumbent
Goals
Director
George Zaal
3.1.1
3.1.1.1
3.1.1.2
3.1.2
3.1.3
3.1.4
3.1.5
Operationss Manager
Alex Jenner
3.1.2
Marketing Military officer
Kellie Rose
3.1.3
Financial Controller
Johanna Garry
3.1.4
IT Manager
Spirio Bombos
3.1.5
3.3 Committedness to Security.
As Longfellows is chiefly an Insurance agent, security is of the topmost importance.
All of Longfellows employees are required to reexamine and subscribe the company ‘s Information Security Policy, as per employee contracts.
The aim of these contracts is to educate employees on the sensitiveness of the confidential informations stored on the Longfellows systems and to guarantee that all protections are taken to safe guard Information Assets and bound exposure to those people without a “ demand to cognize. ”
Personal and Insurance information that is held on by Longfellows is protected through the usage of secure watchwords, firewalls and a locked and restrained premiss. Entree to personal information is limited to those who specifically need it to carry on their concern duties.
Longfellows besides maintain physical security processs to pull off and protect the usage and storage of paper records incorporating personal information. Longfellows will merely maintain personal information so long as required by jurisprudence and will take sensible stairss to destruct or for good de-identify personal information when we no longer needed.
Longfellows will non unwrap information about you to a company which is non a related entity unless the revelation is required or authorised by jurisprudence, or you have consented to unwraping the information about you. If you apply for an insurance policy, they may necessitate to unwrap your information to our related entities, our distributers such as agents and agents, other insurance companies, and insurance mention agency in order to find your claims history.
I believe Longfellows is extremely committed to guaranting calculating security and personal security of all their clients. This degree of security committedness helps to develop a trusting relationship with their clients and unafraid prospective concern in the hereafter.
4. Current Security Status
4.1 Accidents and Catastrophes
4.1.1 Threats and Controls
Power rushs, Fire, hardware failures and inadvertent omissions are low hazard events.
As the companies chief office is in a major capital power breaks are uncommon, the last reported major power outage was summer of 2009 for Melbourne ( ABC News, viewed 3 May 2009 ) which caused important jobs for most of the metropolis. Rush defenders are placed on all electrical calculating sockets to pretext against unexpected power rushs.
Fire could do the most important harm to the calculating system hardware and any non backup informations. The waiter room is protected by a gas extinction system which would protect hardware if the fire started else ware. All desktops would necessitate replacing as the fire system is a standard H2O system.
Accidental omissions are non common events, if they were to happen informations from the backup thrust could be used to reconstruct services and informations.
Hardware failures may ensue in non antiphonal constituents of the system, if a constituent is suspected of being faulty a suited replacings are readily available at a really low cost.
4.1.2 Data Analysis
Figures are derived from Figure 1 Appendix A.
The likeliness of exposure is a quantitative figure scaled from 0.0 to 1.0. The higher the figure indicates a high opportunity of exposure to a menace. A figure of 0.3 for power loss indicates this menace is non likely to happen shortly but still may go on at some point.
Unrelated to likelihood value Level of exposure figure is per centum figure which indicates the effect should a menace eventuate. A high per centum figure would bespeak for illustration, that should a fire destroy the system so merely approximately 25 % of the system would be affected, insurance & A ; personal informations could be restored from backups and waiter and desktop package re-installed from purchased package discs, all located off-premise.
The cost of replacing all calculating hardware is around $ 12,000.
Control bing are based upon the in agreement values of controls in topographic point to battle possible menaces, Longfellows has a dedicated waiter room with a gas fire suppression system. It has a really high apparatus associated with the apparatus
The one-year loss anticipation figure is derived from the value of the plus and it quantitative value should it be compromised by a menace. As most of the menaces are see low the loss is every bit low.
Combined control effectivity is a per centum figure which represents the entire effectivity of all controls against menaces for information onslaughts it ‘s estimated to be about 99 % effectual.
Savingss are calculated against the one-year cost anticipation combined with control effectiveness figure, weighted against the cost of implementing the controls.
Covered Loss describes the exposed cost against the possible nest eggs.
4.1.3 Cost Effectiveness of Controls
The entire hazard analysis is planned for five old ages, if the company were non to see against the possible menaces so they could anticipate to lose around $ 4000 per twelvemonth. The high apparatus cost with the fire system reduces nest eggs for the first three old ages until the system pays for itself in old ages four and five.
Hardware failure and package omissions are good covered by informations backup and the comparatively inexpensive cost of calculating system on the market.
Security menaces from internal and external users are besides considered in the analysis. Logins from a distant beginning utilizing a valid user ID is possible given entree is granted to insurance field agents, likely interlopers could utilize cardinal lumbermans or package sniffers to observe an unfastened session with Longfellows waiter and addition entry via utilizing valid login certificates.
Internal user may inadvently may derive entree to countries of sensitive informations through the internal web, to which they may non hold rights to position. This sort of invasion may travel unnoticed but if the employee were of all time to travel on so sensitive information may be used or divulged to an un-trusted outside beginning.
4.2 Datas Attacks
4.2.1 Threats and Controls
As Longfellows employ ‘s two waiters, eight desktops and two remote login computing machines for field employees it has high exposure to data onslaughts. Internet entree is allowed with no limitations so the menace from viruses either come ining from internal or external beginnings is high. Types of informations onslaughts may include worms, Trojan horses, and Spam or electronic mail lumbermans.
As with any company or single utilizing the cyberspace, the menace of virus and other malicious package is considered high. Controls against this sort of onslaught are by and large provisioned for by utilizing the latest anti virus package, presently Longfellows usage Symantec Antivirus corporate edition, with a 12 month renewable licence.
Two other controls are considered the Native O/S, Longfellows uses Microsoft little concern waiter, which contains security logs as portion of the O/S. Logs can capture any unusual events which may happen when the system is running.
The other control is the external difficult rive which is used for regular backups of the sever informations, the thrust is maintain off premiss and is used hebdomadally.
4.2.2 Data Analysis
The likeliness of exposure is a quantitative figure scaled from 0.0 to 1.0. The higher the figure indicates a high opportunity of exposure menace. A figure of 0.9 indicates this menace is likely to happen at some point.
Unrelated to likelihood value Level of exposure figure is per centum figure which indicates the effect should a menace eventuate. A high per centum figure would bespeak for illustration, that should a virus enter the system so 85 % of the system could be affected.
Control bing are based upon the in agreement values of package or hardware controls in topographic point to battle possible menaces, Longfellows uses antivirus package which is renewable every 12 months, a portable difficult thrust for system backup and the pick of O/S for the system ( i.e. Windows ) used for logging studies and audits of the system.
The one-year loss anticipation figure is derived from the value of the plus and it quantitative value should it be compromised by a menace. A virus for illustration could be the company a $ 100,000 in corrupted informations. Each twelvemonth the value of a loss increases a 100 % .
Combined control effectivity is a per centum figure which represents the entire effectivity of all controls against menaces for information onslaughts it ‘s estimated to be about 80 % effectual.
Savingss are calculated against the one-year cost anticipation combined with control effectiveness figure, weighted against the cost of implementing the controls.
Covered Loss describes the exposed cost against the possible nest eggs.
4.2.3 Cost Effectiveness of Controls
The entire hazard analysis is planned for five old ages, if the company were non to see against the possible menaces so they could anticipate to lose in surplus of $ 1000000 in lost informations but by passing $ 5000 over five old ages could anticipate to command any of the menaces happening at all.
5. Decisions
Longfellows implements some really good criterion patterns for procuring calculating informations, the usage of an industry trusted waiter which comes bundle with security characteristics built in, for illustration user histories, watchword creative activity and user privileges on the web.
A current anti-virus bundle is used in concurrence with the O/S to protect against information onslaughts, with updates this should maintain the system free from viruses introduced via cyberspace or by work users.
As an insurance agent they evidently keep sensitive personal and fiscal informations about clients so to protect this plus, they use of an external Hardrive kept of premiss, and used on a regular basis to maintain the system current in the event of system failure or inadvertent omissions.
The chief disbursal is for the fire system in the waiter room, its initial spending was high and the company should truly merely be seeing a return on this in the hereafter. On the whole most controls have been comparatively inexpensive to implement and supply great security benefits. Overall the administration is non in demand of a major system upgrade, but could fasten overall security by implementing some of the undermentioned recommendations.
6. Recommendations
As Longfellows system is comparatively unafraid merely one recommendation is presented. This is to fasten security with regard to external and internal interlopers. As two users have remote login with the system, it possibly possible for “ hackers ” to happen ways to externally commandeer the system. Detailed below is analysis for commanding such menaces.
6.1 Internal & A ; External menaces
6.1.1 Threats and Controls
Whether by accident or with malicious purpose the menace of unwraping secure information by internal employees is a existent menace. Longfellows employees are signed into contracts saying confidentiality about company clients, but it is still possible for an internal user to derive entree to unauthorized countries of a system by-passing security characteristics.
The menace of external interlopers is of higher importance sophisticated computing machine usage ‘s can utilize arrange of tools to derive entree to procure system, package sniffing, cardinal lumbermans and unfastened Sessionss are ways external user addition entree so go forth a back door for ulterior entry, all the clip seeking to intensify privileges within the system.
It ‘s recommended that Longfellows use a two fold attack to command these types of menaces
An ISA endeavor firewall, a Microsoft merchandise specifically designed to run with Windowss little concern server a basic bundle provides unafraid coverage for a little to medium size web
2. Another hardware device a NIDS ( web invasion sensing system ) switch.
All traffic will go through through the inline NIDS. Unlike a regular bridging device though, the inline NIDS will inspect the package for any exposures that it is configured to look for. If a package contains a piece of information that trips a signature the package can be forwarded or dropped and either logged or unlogged.
This type of system is utile if you do n’t desire the aggressor to cognize that their onslaughts are unsuccessful or if you want the aggressor to go on to assail one of your systems in an effort to garner more grounds. NIDS can besides be configured to analyze packages within the internal web.
6.1.2 Data Analysis
The likeliness of exposure is a quantitative figure scaled from 0.0 to 1.0. The higher the figure indicates a high opportunity of exposure menace. A figure of 0.7 indicates this menace is extremely likely to happen at some point.
Unrelated to likelihood value Level of exposure figure is per centum figure which indicates the effect should a menace eventuate. A high per centum figure would bespeak for illustration, that should an interloper enter the system so 85 % of the system could be affected.
Control costing is based upon the in agreement market values of package or hardware controls in topographic point to battle possible menaces Longfellows if they were to implement these controls would be around $ 10,000
The one-year loss anticipation figure is derived from the value of the plus and it quantitative value should it be compromised by a menace. An external onslaught for illustration could be the company a $ 200,000 if the interloper went unnoticed and stole personal information of Longfellows clients. Each twelvemonth the value of a loss increases a 100 % .
Combined control effectivity is a per centum figure which represents the entire effectivity of all controls against menaces for information onslaughts it ‘s estimated to be about 80 % effectual.
Savingss are calculated against the one-year cost anticipation combined with control effectiveness figure, weighted against the cost of implementing the controls.
Covered Loss describes the exposed cost against the possible nest eggs.
6.1.3 Cost Effectiveness of Controls
Longfellows would derive vastly from implementing tighter control of internal and external aggressors, really important personal informations, which may include recognition and banking inside informations could be capable to unauthorized entree. By put ining a more robust firewall and NIDS system security breaches become more hard for likely interlopers.
The cost of puting the controls in topographic point far outweighs the loss, if a security breach of all time occurs.
7. Execution of recommended controls
7.1 Timetabling
See Appendix C -Gantt chart
7.2 Duty
Control
Undertaking Description
Undertaking duty
Supervision
NIDS switch
Acquisition & A ; Purchase
Financial Controller
IT Manager
Director
Installation & A ; Initial proving
IT Manager
Director
Final System proving
IT Manager
Director
ISA Firewall
Acquisition & A ; Purchase
Financial Controller
IT Manager
Director
Installation & A ; Initial proving
IT Manager
Director
Final System proving
IT Manager
Director
7.3 Schedule for Review of Security and Control Items
Item for Review
Duty
Frequency
Virus package reappraisal
IT Manager
Weekly
O/S upgrade + licensing
Financial accountant
Annually
External Hardrive proving + ascent
IT Manager
3 months
Rush defenders proving
Constructing care officer & A ; IT director
12 months
Fire system proving
Fire section
6 months
ISA Firewall
IT director
3 months
NIDS switch
IT trough
3 months
Password file
Administration officer
Weekly
Security policy reappraisal
IT Manager/ Director
12 months

Warning! This essay is not original. Get 100% unique essay within 45 seconds!

GET UNIQUE ESSAY

We can write your paper just for 11.99$

i want to copy...

This essay has been submitted by a student and contain not unique content

People also read