REAL-TIME INTEGRATION SYSTEMS
Computer Systems
Security Foundations
Week 4: Software and Database Security
<name>
[Pick the date]
This document contains information and typical analyses that Real-Time Integration Systems must
conduct to ensure compliance with recent initial public offering (IPO) requirements and to ensure the
security of the company infrastructure. In addition to ensuring compliance to the Sarbanes-Oxley
requirements, the company is also considering expanding the network infrastructure to allow employee
flexibility (yet sound security) in the area of network connectivity through the introduction of a wireless
network. The company will evaluate the risks and the current and future network infrastructure and
enterprise systems, as well as the access control policies currently in use. Within the analysis of the
technical review, Real-Time Integration Systems will ensure a proper security program is in place and
that policies and procedures are updated and accurate.
Table of Contents
Project Outline and Requirements (Week 1) ................................................................................................ 1
Organization Description .......................................................................................................................... 1
Project Requirements ............................................................................................................................... 1
Introduction to Information Security (Week 1) ............................................................................................ 3
The Need for Information Security ........................................................................................................... 3
Potential Issues and Risks for Wi-Fi Environments ................................................................................... 3
Security Challenges of Allowing Consultants to Work On-Site ................................................................. 3
A Review of the Sarbanes-Oxley Requirements ....................................................................................... 3
Security Assessment (Week 2) ...................................................................................................................... 4
Current Assets ........................................................................................................................................... 4
Analysis of Current Network Topology and Risks ..................................................................................... 4
Risk Assessment Methodology ................................................................................................................. 5
Risk Mitigation .......................................................................................................................................... 6
Access Controls and Security Mechanisms (Week 3) ........
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
1. REAL-TIME INTEGRATION SYSTEMS
Computer Systems
Security Foundations
Week 4: Software and Database Security
<name>
[Pick the date]
This document contains information and typical analyses that
Real-Time Integration Systems must
conduct to ensure compliance with recent initial public offering
(IPO) requirements and to ensure the
security of the company infrastructure. In addition to ensuring
compliance to the Sarbanes-Oxley
requirements, the company is also considering expanding the
network infrastructure to allow employee
flexibility (yet sound security) in the area of network
connectivity through the introduction of a wireless
network. The company will evaluate the risks and the current
and future network infrastructure and
enterprise systems, as well as the access control policies
currently in use. Within the analysis of the
technical review, Real-Time Integration Systems will ensure a
proper security program is in place and
2. that policies and procedures are updated and accurate.
Table of Contents
Project Outline and Requirements (Week 1)
...............................................................................................
. 1
Organization Description
...............................................................................................
........................... 1
Project Requirements
...............................................................................................
................................ 1
Introduction to Information Security (Week 1)
............................................................................................ 3
The Need for Information Security
...............................................................................................
............ 3
Potential Issues and Risks for Wi-Fi Environments
................................................................................... 3
Security Challenges of Allowing Consultants to Work On-Site
................................................................. 3
A Review of the Sarbanes-Oxley Requirements
....................................................................................... 3
Security Assessment (Week 2)
3. ............................................................................. ..................
....................... 4
Current Assets
...............................................................................................
............................................ 4
Analysis of Current Network Topology and Risks
..................................................................................... 4
Risk Assessment Methodology
...............................................................................................
.................. 5
Risk Mitigation
...............................................................................................
........................................... 6
Access Controls and Security Mechanisms (Week 3)
................................................................................... 7
Access Controls of Existing Applications
...............................................................................................
.... 7
The Application List From Week 2 With Needed Access
Controls (Examples): .................................... 7
Access Controls to the Wi-Fi Network
...............................................................................................
....... 7
Network Authentication Schemes
...............................................................................................
............. 8
5. ............................................................................... ................
.......................... 10
Protecting Data
..........................................................................................
Error! Bookmark not defined.
Intrusion Detection Systems
.................................................................. Error! Bookmark
not defined.
Intrusion Prevention Systems
................................................................ Error! Bookmark
not defined.
References
...............................................................................................
................................................... 11
Computer Systems Security Foundations
Organization Consultants Page 1
Project Outline and Requirements (Week 1)
Organization Description
Real-Time Integration Systems is a publicly traded company
6. based in San Jose, California that offers
customized solutions to customers and clients. The main focus
for Real-Time is the creation of solutions
based on integrating the various systems that are used in the
customers’ offices so that they can have a
single management interface for all systems and applications.
Real-Time has 100 employees. About one
third is internal company-based support, and two thirds of the
employee base is consulting staff working
on the customized solutions. The company recently underwent
an IPO, and as such, now has additional
regulatory requirements that it must meet. Talking with the
company’s chief information officer (CIO)
and chief financial officer (CFO), they admit that the recent IPO
has added additional pressures for their
company. They now must meet additional regulatory
requirements.
The consulting staff typically meets with the customer to gather
the system requirements and then
returns home to the Real-Time facilities to create the integration
solutions. A major problem that the
consultants face is network resources. The office spaces that are
allocated to the consulting team offer
cubicles with limited network access. The consultants need a
more flexible solution for connecting to
the Real-Time network. Real-Time wants to implement a secure
solution that ensures the privacy of the
communications and company data as well as giving the
consultants the flexibility to connect to the
network and move around and interact and conference with
other consultants.
Project Requirements
As Real-Time starts the project, the leaders realize that their
current infrastructure is not as secure as
7. they thought. The original information technology (IT) staff was
well-meaning, but at the time of the
start-up, they were not as security-conscious as companies are
today. As a result, Real-Time wants to
ensure the overall security of the existing infrastructure and to
isolate the new development
infrastructure as much as possible. To begin, the existing
network architecture includes a demilitarized
zone (DMZ) for the company Web site, file transfer protocol
(FTP), and mail servers. The company
Intranet is a flat network. All company resources and
applications are on the same network with all staff
desktops. All company systems are internal (meaning that they
outsource no solutions). All systems and
applications are housed in the San Jose corporate site in a
converted conference room that is now a
dedicated data center.
Real-Time does have a concern over the customer systems and
data that are brought into the San Jose
facility. The customer data and equipment need to be isolated
from other customer environments. At
no point in time can the data from one customer be stored in the
same environment as a different
customer. The CIO has made these requirements very clear to
the staff. Customer data privacy and
security needs to be a top priority.
Proper resources have been allocated for the project, and
several key goals have been set:
• Evaluate the regulatory requirements based on the Sarbanes-
Oxley Act, and ensure that
company security policies are sufficient to meet the
8. requirements.
• Evaluate the security risks in the current environment.
• Evaluate the access control methods that are currently in use,
and identify newly needed
controls.
• Evaluate the need for controls to better protect data both at
rest and in motion.
• Develop or redesign a secure network solution.
Introduction to Information Security (Week 1)
A review of the current infrastructure and security model is
needed to ensure compliance with the new
Sarbanes-Oxley regulations. Management wants to understand
how the regulation impacts the
information security posture of the Real-Time Integrations
Systems environment. To do so, the following
areas need to be better understood by the organization:
• Describe the need for information security
• The potential issues and risks that exist and what benefits they
can gain from the new wireless
fidelity (W-Fi) project
• Describe what new challenges exist with the new project to
allow consultants to work on-site
• Describe the challenges that now apply to the company with
the recent IPO taking place
9. The Need for Information Security
A review of the high level of information security should take
place, and then a practical discussion
about what it means for organizations like Real-Time
Integration Systems needs to take place.
Potential Issues and Risks for Wi-Fi Environments
A review of the technical security needs to take place. The
focus should be on the extension of a
network through the use of wireless technologies.
Security Challenges of Allowing Consultants to Work On-Site
A review of the administrative security controls needs to take
place. The focus should be on the policies
and personal requirements that need to be implemented
A Review of the Sarbanes-Oxley Requirements
Sarbanes-Oxley will now affect Real-Time, and there needs to
be a discussion about the specific
provisions of the regulations that apply to the IT infrastructure.
Security Assessment (Week 2)
To conduct a security assessment, the organization needs to
understand its environment. This includes
asset identification, data classifications, and network
topologies. This section will focus on asset
identification and network topology and the risks associated
with them in the current environments.
Current Assets
A list of the enterprise systems that Real-Time Integration
10. Systems relies on to run the day-to-day
business activities includes the following systems:
Example Enterprise Systems
System Applications Description
Enterprise
resource planning
(ERP)
Human resources
(HR)
Human resources uses this to track employees, managers,
assignments, salary, and expenses
ERP Financials Accounts payables, accounts receivables,
general ledger
Customer
relations
management
(CRM)
Sales and
marketing
Tracking of customers and customer projects
Web servers Company public
portal
Information and applications used by customers to interact
with Real-Time Integration Systems
E-mail server All departments E-mail system used for company
11. e-mail and external
communications
Analysis of Current Network Topology and Risks
An example diagram for the current network (although not
required for submission) could be
represented as follows:
Because all machines (user desktops and servers) are on the
same network, all connected to the
Internet, a security breach on any single machine give hackers
direct access to all other servers and
devices on the same network. This is highly undesirable.
Additional risks should be discussed.
System Risks
Web server Accessible to the Internet by design, easy targets for
hackers
Desktop systems Users are primary targets for social engineers,
if
compromised network resources are accessible
If the new Wi-Fi network is added to the existing network, an
example diagram could look as follows:
A discussion about the new risks for this model needs to be
12. conducted.
Risk Assessment Methodology
The following is an outline of the methodology that can be used
for a risk assessment:
• Phase 1: Project Definition
• Phase 2: Project Preparation
• Team Preparation
• Project Preparation
• Phase 3: Data Gathering
• Administrative
• Technical
• Physical
• Phase 4: Risk Analysis
• Assets
• Threat Agents and Threats
• Vulnerabilities
• Phase 5: Risk Mitigation
• Safeguards
• Residual Security Risk
• Phase 6: Risk Reporting and Resolution
• Risk Recommendation
• Documentation
Risk Mitigation
13. As part of the risk-assessment process, a plan needs to be
recommended (and ultimately acted upon).
The exact process for dealing with risk varies from company to
company based on the risk tolerance.
The following should be discussed with respect to handling risk:
Access Controls and Security Mechanisms (Week 3)
The focus of this section is to examine the access control model
of the previously identified applications.
A potential review of the existing system could take place, but a
proposed final solution needs to take
place for each application. A proposed solution for the new Wi-
Fi network is also given.
Access Controls of Existing Applications
The application list from Week 2 with needed access controls
(examples):
System Proposed Access Control
Identification/Authentication Authorization
ERP Single sign-on technology (SSO) Role-based access control
Desktop Active Directory Role-based access control
Access Controls to the Wi-Fi Network
14. A detailed description of how access controls should be
implemented is provided. An example of a
network segregation diagram (not required but could be
implemented) is as follows:
Active Directory has been included for the potential of desktop
and wireless authentication. Additional
discussions could take place surrounding the concepts of virtual
private network access for wireless
clients.
Network Authentication Schemes
Single Sign-On
Description of SSO technologies and their use will take place in
this section.
Virtual Private Networks
Description of VPN technologies and their use will take place in
this section.
Software and Database Security (Week 4)
A focus on the policies, processes, and procedures is an
important part of the Sarbanes-Oxley
regulations and requirements. This section will focus on the
needed policies and audit controls that
need to be in place to meet the requirements.
Regulatory Requirements of Sarbanes-Oxley
15. Sarbanes-Oxley is a wide-sweeping regulation that applies to
publicly traded companies. Although the
main focus of the regulation deals with the accurate reporting of
financial data and record-keeping,
several sections touch on the need for IT controls. The
following is a list and description of specifics in
the regulation that deal with IT:
<Provide the Details of Sarbanes-Oxley Requirements>
Polices
An important aspect of any security program and the
compliance with Sarbanes-Oxley is the
implementation and enforcement of security policies. The
following is a list and description of applicable
security policies that are implemented at Real-Time Integration
Systems:
Policy Description
Acceptable-use policy Describe what, when, and how company
resources should and should not be used.
A total of 5 policies are required.
Controls
Policies state management’s desired intent of acceptable
behavior and expectations, but more than
expressed desire is required. The company needs to be testing
and tracking compliance with the
published policies. The following is a list of controls that can
be used to complete that task:
Policy Control
Acceptable-use policy Firewall monitoring for violations of
16. access time
and access sites
Acceptable-use policy Monitoring of outbound phone call usage
A total of 3 controls for each policy are required.
Protecting Data
Data-at-Rest
A description of data-at-rest and the applicable use will take
place in this section.
Data-in-Motion
A description of data-in-motion and the applicable use will take
place in this section.
Network Security (Week 5 TBD)
References
Project Outline and Requirements (Week 1)Organization
DescriptionProject RequirementsIntroduction to Information
Security (Week 1)The Need for Information SecurityPotential
Issues and Risks for Wi-Fi EnvironmentsSecurity Challenges of
Allowing Consultants to Work On-SiteA Review of the
Sarbanes-Oxley RequirementsSecurity Assessment (Week
2)Current AssetsAnalysis of Current Network Topology and
17. RisksRisk Assessment MethodologyRisk MitigationAccess
Controls and Security Mechanisms (Week 3)Access Controls of
Existing ApplicationsThe application list from Week 2 with
needed access controls (examples):Access Controls to the Wi-Fi
NetworkNetwork Authentication SchemesSingle Sign-OnVirtual
Private NetworksSoftware and Database Security (Week
4)Regulatory Requirements of Sarbanes-
OxleyPolicesControlsProtecting DataData-at-RestData-in-
MotionNetwork Security (Week 5 TBD)References
Sheet1Order # 53618899Part IX - Financial
DataRevenue2018201920202021Gifts/Grants/Donations/Contrib
utions$13,229$10,550$15,000$18,000Membership
Fees$0$0$0$0Gross Investment Income$0$0$0$0Net Unrelated
Business Income$0$0$0$0Other Income (Please describe this
income)$0$0$0$0Sales Income (Sale of
goods/services)$0$0$0$0Unusual Grants$0$0$0$0Fundraising
Income$0$0$0$0Total
Revenue$13,229$10,55015,000$18,000Expenses2018201920202
021Line 14 - Fundraising Expenses$0$0$0$0Line 15 - Grants,
Donations, Gifts to OthersFor
_____________________________$0$0$0$0For
_____________________________$0$0$0$0For
_____________________________$0$0$0$0Line 17 - Director /
Officer compensation (Provide NAME & TITLE)For
_____________________________$0$0$0$0For
_____________________________$0$0$0$0For
_____________________________$0$0$0$0Line 18 - Other
salaries and wages (Provide NAME and/or TITLE)For
_____________________________$0$0$0$0For
_____________________________$0$0$0$0For
_____________________________$0$0$0$0Line 19 - Interest
Expense$0$0$0$0Line 20 - Occupancy (rent, utilities,
etc.)$0$0Rent$0$0$0$0Utilities$0$0$0$0Line 21 - Depreciation
and Depletion$0$0$0$0Line 22 - Professional
Fees$0$0$0$0Line 23 - Other Expenses$0$0$0$0Program
19. confidentiality and integrity of the data. What policies and
controls are needed to meet the regulatory requirements
imposed by the recent initial public offering (IPO)? To ensure
the confidentiality of data both internally and externally,
discuss how you can effectively protect the data in motion and
at rest.
Create the following section for Week 4:
· Week 4: Security Policies, Procedures, and Regulatory
Compliance
· List and describe the regulatory requirement that was
introduced by the IPO.
· List and describe at least 5 policies that the company needs.
· From the list of policies, list and describe at least 3 controls
that the company needs to implement.
· Describe the data at rest and data in motion and how they can
be protected
· Section 4 should be 2–3 pages long.
Worked Example
Please refer to the following worked example of this assignment
based on the problem-based learning (PBL) scenario. The
worked example is not intended to be a complete example of the
assignment, but it will illustrate the basic concepts that are
required for completion of the assignment, and it can be used as
a general guideline for your own project. Your assignment
submission should be more detailed and specific, and it should
reflect your own approach to the assignment rather than just
following the same outline.