Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IT Security Essential

123 views

Published on

In the 21st century all organizations are in the phase of global competition. Information and data is the basic pillar on which an organization relies and plans their strategy to get a position in the competitive market. More advancement in technologies for information processing and storage, the more risk factor increases for the company. Information Security Plans/system,is the core asset of any successful organization, that it needs to stay competitive and secure. The main purpose of information security is to support the mission of the organization not only in the short run but in the long run as well. An organization information, is always exposed to certain risks, it is the job of IT security professionals to secure the IT system, that store, process or transmit organizational information.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

IT Security Essential

  1. 1. Acme Consulting Report Compiled by AssignmentStudio [ C o m p a n y A d d r e s s ] IT Security Essential
  2. 2. Table of Contents Introduction.................................................................................................................................... 3 PURPOSE......................................................................................................................................... 3 Perception of Risk..........................................................................................................................4 Possible Threats.............................................................................................................................4 Planning a Information Security System..........................................................................................4 Managing the Risk.......................................................................................................................... 5 Problem Faced...............................................................................................................................5 Selecting the Right System..............................................................................................................6 Recommended...............................................................................................................................7 Advantages....................................................................................................................................8 Packet Sniffingin LANs.................................................................................................................8 Simplicity....................................................................................................................................8 Library........................................................................................................................................9 Alerts..........................................................................................................................................9 Accessibility ................................................................................................................................9 Modification ...............................................................................................................................9 Data Storage ................................................................................................................................10 Printing Options........................................................................................................................10 Alwaysin Touch ........................................................................................................................10 Speed Control ...........................................................................................................................10 Drawback..................................................................................................................................11
  3. 3. Introduction In the 21st century all organizations are in the phase of global competition. Information and data is the basic pillar on which an organization relies and plans their strategy to get a position in the competitive market. More advancement in technologies for information processing and storage, the more risk factor increases for the company. Information Security Plans/system,is the core asset of any successful organization, that it needs to stay competitive and secure. The main purpose of information security is to support the mission of the organization not only in the short run but in the long run as well. An organization information, is always exposed to certain risks, it is the job of IT security professionals to secure the IT system, that store, process or transmit organizational information. As organizations opt for the most advanced technology to process and storetheir information, Information Security holds the responsibility to safeguard organization’s information assets, from IT related risks.At the same time theabsence of effective Information Security System, may lead to a failure in the confidentiality, integrity and consistency. Information Security is not an easy task, organization’s top management have to focus on implementing proper tools, a suitable set of controls, processes, procedures and organizational structures.The availability of multiple choice security systems and plans, has added to the responsibility of top managers. An Information Security System that is cost effective, consistent, repeatable, cost-effective and reduce risks to a reasonable level, might be considered. The technologies used for the processing, storage and communicating of information have changed dramatically and rapidly. Client’s trust is the root of any successful business, an effective Information Security System, gains the clients confidence that the information it shares with the organization is secure. The perfect example of,Confidentiality of information in an organization is an embryo in mother’s womb, mother follows precautionary measures while the embryo is conceived, same way and organization has to protect its information. Besides defining polices, introducing new security measures, a leading strategy consulting firm like Acme, has to be very selective in inducting a well equipped Information Security System. PURPOSE
  4. 4. The purpose of an Information Security System is to ensure the confidentiality, integrity, and availability of data. It is to define, develop, document the information policies and procedures that support organizations goals and objectives, and to satisfy its legal and ethicalresponsibilities with regard to its IT resources. Perception of Risk Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the impact of occurrence. (Stoneburner. G, et al). In an organizational structure, it’s a common sight that improvements are made in IT departments, for the easy access and seamless sharing of information within the organization. Unfortunately, less interest is paid towards the risk that increases with new advancements. Information security risk is still in danger of being seen primarily as a technical issue, and it must mature to become a management issue. (Debi. A, 2005) Possible Threats A threat to information system directly effect’s the confidentiality and integrity of an organization,assessing the threats is aboard level consideration. Information Security System will be incapable of producing the desired result, without diagnosing the security threats. Organizational structure, may also lead to possible threats to information security, if regular checks are not placed.Information security threats most commonly emergeinternally than externally. A sub heading of “Security threats to the information system”, is added in agenda of board meetings, but as the last or least important point. Every action of misusing, mishandling of the information or improper precautionary measure against any accidental error, will be the cause of leakage or loss of organization’s confidential data/information, making a negative impact on the credibility of the organization. Where in the case of Acme it needs to have a proper check and balance to make sure that all its data is secure and is not vulnerable to any unwanted threats. Planning a Information Security System The primarygoal of the InformationSecuritysystemistodraw a detailedplan, Acme needsasystematic directionsonhowtomeet the security threats in case if the company encounter any in future. Prior to implementing a security system, Acme needs to build a team of well trained and trust worthy IT personals on whom the company can rely on. They should be competent enough to face the security threats and maintain a seamless IT functions.In order to be able to implement effective planning, the top management of Acme should begin from previously developed positions that explicitly state the organization’s ethical, entrepreneurial, and philosophical perspective. (Michael E. et al
  5. 5. 2010).Enforcing a new system, creating boundaries for the organizational information needs a wide focus on the possible threats. Discerning attitude of the top brass will get the right tools for the system.Senior management is the key component and the vital force for a successful implementation of an information security program. (Herbert J. 2011) Managing the Risk Risk in common has many faces, especially in the corporate environment. It could be of any shape or type, emerging from any direction. For this specific purpose the management and senior IT engineers of ACME have to set their mind set 360 degree, expecting risk in any form. One may observe the similar organizations, for the risk they are facing. But for the security system, ACME has to select one that meets its own requirements. It is a continuous battle with unseen enemies, which one has to fought with his own strategy.Many professional organizations such as the National Association for Corporate Directors (NACD) are pushing for significant changes in the way board members and executives evaluate risks. (William C, 2009). The CEO, should appoint a vigilance team of highly experienced and qualified professionals, assigning the job to detect or diagnose the risksconvoluted with the information confidentiality. The same team will be in constant touch with the IT operators and directly report to the CEO. Problem Faced Acme being a leading consultant firm, have to be very particular in the smooth flow of information within the boundaries of organization. Unfortunately, less emphasize is given on Intranet, and as result the data and information, that is to be safe and easy to access by the authorized personnel’s becomes unstable. Due to old versions of IT system, the integrity of client’s data and information is affected.The use of intranet has become quite complicated in Acme, and it really needs up-gradation. Current intranet lacks uniformity of knowledge badly.The nature of the work is different and consultants face a number of issues in accessing the intranet.The centralize IT system of Acme does not meet the ISO standards, there is a need for a latest technology IT system and software. The data and information stored, is the client’s trust on
  6. 6. Acme, it has to be protected under all cost. The CEO should have the authority to authorize an individual to operate the IT system also the individual should be screened before being granted access to organizational information and information systems. Acme needs assessment of its IT department. Properly implemented, a good needs assessment can reenergize an organization, providing hope that something fresh and constructive is being done about long-recognized shortcomings or problems faced by the organization. (David G, 2006). Storage of data is one of the problem faced by Acme, to induct new data it need some space which could only be acquired by erasing the old ones, which is not a good practice for organization like Acme. Client’s information or data is his asset, it is the client who decides either he stores the same in his server or it should be erased. Acme has to emphasize on data storage, which the company can achieve,by having a good storage, company will be able to implement storage limits on users and groups of users, limits on the size of shared objects. The company can also have control over what can be written to servers and or other desktop machines that will be used mainly to store the data for their clients and other financial institutions. Selecting the Right System The success of an organization is based on the confidentiality of its information,parallel to it is the risk factor. It can be state that confidentiality of information is based on the most appropriate Information Security System, which lays a bridge to success for an organization. Acme needs an Information Security System, Considered among the best in the industry, and should meet ISO standards. Again the responsibilities lies on the board members have to search for the appropriate security system for their organization. To secure the integrity of internal data, business strategies, financial records, computer software, hardware and networks, Information Security encompasses a broad variety of disciplines and activities i.e. Security Management Practices, Network Security, Operations Security, Computer Security, Physical and Personnel Security. In this active age of increasing threats and evolving solutions, it is vital that Information Security be understood, taken seriously and implemented dynamically.
  7. 7. Recommended To cope up with the risk of the confidentiality of information and upgrading the system, Acme must align with ISO/IEC 27001 standards. ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control.(www.bsigroup.com) This International Standardhasbeenpreparedtoprovideamodel forestablishing,implementing,operating, monitoring,reviewing,maintainingandimprovinganInformationSecurityManagement System (ISMS). ISO/IEC 27001 requires that management:  Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;  Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and  Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis(www.bsigroup.com) The joint technical committee of ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission), is continuously working for improving international standards of information security system. Security risks can’t be ward off, one way or the other it keeps on striking. An organization’s management has to deal with other issues as well, more emphasis on security planning no doubt will affect the budget. Now, Acme by joining the global network of ISO/IEC, will get the advantage of being updated for the new security techniques and possible security risks, without any affect on company’s budget. The Right Tool: The recommended information security system intends to support the organization firstly to accurately determine what should be protected and the weaknesses involved in their daily activities. Moreover, assess what weaknesses can be abused by an attack, as well the threats that might come into existence in an attack. Lastly, evaluate the efficiency and the effectiveness of the policy and controls implemented, in order to evaluate if they are being correctly implemented or if they need any modification.
  8. 8. In the global market of multiple systems offered by many companies, Paessler network monitoring system seems to the best solution for the problems faced by Acme. The system offered by Paessler, possess multiple features, and is competent to monitor the entire network. It is being in operation successfully in many other organizations around the globe. One of the excuses for weak information and data system, in Acme is the lack of focus towards information security. Paessler, proves to be the one click solution, for an organization. Internet is not considered to be secure or trusted. Paessler network monitoring system operates with the affiliation of firewall software. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. (Debi. A, 2005) Advantages Installing Paessler network monitoring system, Acme will be able to overcome many of its problems relating to information’s security, accessibility, reliability and gaining the client’s trust. Few of the features that PRTG offers, thatare applicable for Acme are Packet SniffinginLANs This process allows to assist in smooth flow in the network, by allowing you to know which application or IP-addresses are creating hurdles or slowing the flow in intranet. The same can monitor each pc or the main server. The scanning of the flow can be timely set by the user. Simplicity PRTG is easy to download and operates in a friendly or cooperative manner. It’s easy to use even for non IT trained personals. The screen display shows many options, once you login. Tabs on top of the screen offers multiple options for the user, even the non skill operator will be acquainted with PRTG system, in short time. PRTG systems can work with a huge selection of operating systems (David. G, 2006)
  9. 9. Library In library option the user can create tree of sensors and devises. Create a library to see all the sensors that might be in the warning status. It’s very simple to add all sensors to the library, by simple drag n drop from the management node. Alerts The multiple sensors in PRTG system cope up with commonly used network systems. In case of any threat to the system or interruption that could be unnoticed the PRTG system will alert the user by alternate means that could be via SMS, email or pager. PRTG creates an individual system for each single device within itself, providing each device with its own sensors. They monitor the traffic going in and out, maintaining an even flow of information (David. G, 2006). The number of sensors installed depends on the hardware, technology in use and the ram. Accessibility For the ease of user PRTG is available in many languages. The access to PRTG system is from anywhere a desktop pc or through a web browser, it could be iPhone/iPad appliances or Android appliances. Modification PRTG is continuously in process of modifying its system to cope up with the constantly changing environments. Once installed, PRTG automatically updates the software, even the user didn’t notice. Every PRTG installation regularly connects to our servers to check if there is a new version of PRTG available. By signing the maintenance contract, the PRTG keeps the user updated for new versions. For Trial and Freeware users, as well as commercial users with an active maintenance contract, PRTG will download a new version automatically and notify the administrator once it has done so(Paessler, 2012). Recently on 20th August, PRTG announces the first public version of PRTG that uses a 64bit core server. Previously PRTG was operating with 32bit core server that could only manage with 3 GB of memory, it was good enough for 10,000 – 20,000 sensors. Whereas the 64bit core server can now entertain all the available memory of the host computer, irrespective of any limitations.
  10. 10. Data Storage Acme is facing data storage problem as well. Data is the asset of any organization. With lack of storage capacity, to induct new data the old has to be shifted or removed. For this action the client has to be consulted which marks a question mark on the credibility of the company (Paessler, 2012). PRTG has solved the problem of data storage, it stores the data in three different locations, program directory, data folder and into registry. Thus the safety of data is increased whereas more data can be inducted, without removing the older ones. Whereas all monitoring data is stored in PRTG’S own built database. It keeps the data for a period of one year, in this time the management can easily settle with the clients, either to retain the data or erase it (Paessler, 2012). PrintingOptions PRTG systems has a option to make reports of the monitoring data, the same can also be printed. Multiple graph option are also available. The operations done on a single pc can kept as record in files. AlwaysinTouch PRTG offers the option to stay connected with the organizations network while not in the premises. Through an iPhone, iPad, iPod Touch, or an Android phone or tablet, you can check the network performances form anywhere in the world. The same option is ideal for the top management, to get themselves informed always. SpeedControl Working with limited number of sensors doesn’t effects the speed but monitoring thousands of sensors excessive CPU load can be noticed. The same can rectify by making some alteration. Besides many options, most common are, Modification in hardware can be the solution,
  11. 11. increasing Ram from 32 bit to 64 bit, window XP or window 7 and the other option to increase speed is to get the latest version of PRTG, as it is being improved continuously (Paessler, 2012). Drawback Besides many advantages there are certain limitations of PRTG systems that needs to be considered before installing. One major drawback is, that the maximum number of sensors that can be monitored depends on the monitoring technology in use. With old versions, only a limited number of sensors can be monitored. Secondly, Packet Sniffing creates the highest CPU load on the probe system. This technology is only recommended for monitoring of low traffic connections. Comparing the few of many advantages mentioned above with the disadvantages, Paesller network monitoring system seems to be the best possible solution for Acme. Acme can cut down on the budget, by hiring a bit low qualified IT professionals instead of highly paid high qualified IT professionals (Paessler, 2012). PRTG system is competent enough to provide almost all the solutions, once installed. References 1. Stoneburner. G, Goguen. A, ‘Risk Management Guide for Information Technology Systems’. 2. Jones. A, Ashenden. D, 2005 ‘Risk Management for Computer Security’. 3. Michael. E, Mattord. J, 2010’ ‘Management of information security’ 4. NIST Interagency Reports 4749. Sample Statements of Work for Federal Computer Security Services: For Use In-House or Contracting Out. December 1991. 5. NIST Special Publication 800-27. Engineering Principles for IT Security. June 2001 6. Herbert J. M, 2011, ‘Principles of Information Security’. 7. William. C. M, 2009, ‘Enterprises Risk Management and COSO: A guide for Directors’. 8. Garson. D, 2006, ‘Public Information Technology and E-Governance: Managing the Virtual State’. 9. Fast Facts About BSI group, viewed on 14/09/2010 <http://www.bsigroup.com/en/About-BSI/News-Room/BSI-Fast-Facts2/ Fast Facts About BSI Group>

×