Case Project 1-1: Defining and Designing a Network
The overview of this book’s running case project is in the front matter. Please review this information carefully to guide you in completing each chapter’s project as you work through the remaining chapters.
You have been hired as a consultant to design a network for LedGrafix, a video and PC game design company. LedGrafix’s newest game has become a hot seller, and the company anticipates rapid growth. It’s moving into a new facility and will be installing a new network. Because competition is fierce in the game industry, LedGrafix wants the network fully secured, documented, and maintained while providing high availability, scalability, and performance.
Based on your current network technology and information security knowledge, for this project you design a network to meet the specified requirements and create a network diagram detailing your design. After you have created the diagram, you create a hardware and software inventory for the network. In addition to designing the network, you must also provide full documentation. The network should meet the following requirements:
· One location in Phoenix, AZ
· Capable of supporting 62 users in these departments: Accounting and Payroll, 4; Research and Development, 12; Sales and Marketing, 10; Order Processing, Shipping, and Receiving, 14; secretarial and office management staff, 4; upper management (including the president, vice president, and general manager), 10; Customer Relations and Support, 6;Technology Support, 2.
· Full T-1 Internet connection
Tasks
1. Design a network that meets the preceding requirements.
2. Examine the facility diagram your instructor provides. Using whatever drawing application you have available (MS Paint will work, if you have no other options), create a diagram of your network, showing the physical layout of the system.
3. Create a hardware and software inventory. Your instructor has blank forms you can use, or you can create or find your own. Your inventory should include at least the following:
· Operating systems
· Server operating systems
· Office applications
· Antivirus software
· Computers, servers, and peripherals
· Network connectivity equipment, such as hubs, switches, or routers
· Specialized imaging or multimedia devices or software
· Developer tools (you can make up tool names, if necessary)
· Other applications you think are necessary
Case Project 2-1: Conducting Risk Assessment and Analysis
Risk assessment can be as simple as noting an unlocked door or a password written on a note, or it can be a complex process requiring several team members and months to complete. A large enterprise environment probably has multiple locations, diverse activities, and a wide array of resources to evaluate. You don’t need such a complex network, however, for your running case project; the main idea is to learn how to apply your knowledge in a methodical fashion to produce useful and accurate data. Approaching ...
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
1. Case Project 1-1: Defining and Designing a Network
The overview of this book’s running case project is in the front
matter. Please review this information carefully to guide you in
completing each chapter’s project as you work through the
remaining chapters.
You have been hired as a consultant to design a network for
LedGrafix, a video and PC game design company. LedGrafix’s
newest game has become a hot seller, and the company
anticipates rapid growth. It’s moving into a new facility and
will be installing a new network. Because competition is fierce
in the game industry, LedGrafix wants the network fully
secured, documented, and maintained while providing high
availability, scalability, and performance.
Based on your current network technology and information
security knowledge, for this project you design a network to
meet the specified requirements and create a network diagram
detailing your design. After you have created the diagram, you
create a hardware and software inventory for the network. In
addition to designing the network, you must also provide full
documentation. The network should meet the following
requirements:
· One location in Phoenix, AZ
· Capable of supporting 62 users in these departments:
Accounting and Payroll, 4; Research and Development, 12;
Sales and Marketing, 10; Order Processing, Shipping, and
Receiving, 14; secretarial and office management staff, 4; upper
management (including the president, vice president, and
general manager), 10; Customer Relations and Support,
6;Technology Support, 2.
· Full T-1 Internet connection
Tasks
1. Design a network that meets the preceding requirements.
2. 2. Examine the facility diagram your instructor provides. Using
whatever drawing application you have available (MS Paint will
work, if you have no other options), create a diagram of your
network, showing the physical layout of the system.
3. Create a hardware and software inventory. Your instructor
has blank forms you can use, or you can create or find your
own. Your inventory should include at least the following:
· Operating systems
· Server operating systems
· Office applications
· Antivirus software
· Computers, servers, and peripherals
· Network connectivity equipment, such as hubs, switches, or
routers
· Specialized imaging or multimedia devices or software
· Developer tools (you can make up tool names, if necessary)
· Other applications you think are necessary
Case Project 2-1: Conducting Risk Assessment and Analysis
Risk assessment can be as simple as noting an unlocked door or
a password written on a note, or it can be a complex process
requiring several team members and months to complete. A
large enterprise environment probably has multiple locations,
diverse activities, and a wide array of resources to evaluate.
You don’t need such a complex network, however, for your
running case project; the main idea is to learn how to apply
your knowledge in a methodical fashion to produce useful and
accurate data. Approaching a task such as risk assessment
without a strategy means repeating steps, wasting resources, and
achieving mediocre results at best. Even worse, you might miss
critical information.
You need the network and facility diagrams you completed in
Chapter 1 for this project. Your instructor will provide
documentation templates. Make additional copies as needed. In
a real risk analysis process, one of the first steps is meeting
3. with all department managers, upper management, employee
representatives, workers in the production environment, human
resources staff, and other staff members to get their input.
Without input from the people actually doing the work, you
might not think of essential factors. That isn’t possible here, so
direct any questions you have to your instructor, or do
independent research to find your answers.
Tasks
1. First, identify the business processes that must continue for
the organization to keep functioning—for example, collecting
money from customers, receiving and processing sales,
developing new products, and so on. Document major business
processes that drive LedGrafix, using the Business Process
column of the Business Process Identification Worksheet (see
“Business Process Identification Worksheet Draft.docx” in
“worksheets.zip”). Assign a priority level to each process (using
the priority rankings in the following list). Write down the
department that performs the process, and leave the Assets Used
column blank for now.
· Critical—Absolutely necessary for business operations to
continue. Loss of a critical process halts business activities.
· Necessary—Contributes to smooth, efficient operations. Loss
of a necessary process doesn’t halt business operations but
degrades working conditions, slows production, or contributes
to errors.
· Desirable—Contributes to enhanced performance and
productivity and helps create a more comfortable working
environment, but loss of a desirable process doesn’t halt or
negatively affect operations.
2. Next, identify the organization’s assets. Using the Asset
Identification Worksheet your instructor provides (see “Asset
Identification Worksheet Draft.docx” in “worksheets.zip”), list
each asset, its location, and approximate value, if known. (For
multiple identical assets, describe the asset and list the quantity
instead of listing each individual asset.) In organization-wide
risk assessments, you would list all assets, including office
4. furniture, industrial equipment, personnel, and other assets. For
this project, stick to information technology assets, such as
computers, servers, and networking equipment. The information
you enter depends on the network design you completed in
Chapter 1. All the equipment needed to build your network
should be listed here as well as any cabling in the facility.
(Assume the facility is already wired for a computer network
with network drops available for each computer.) Hint:
Remember to list items such as electricity and your Internet
connection.
3. Next, determine which assets support each business process.
On your Business Process Identification Worksheet (see
“Business Process Identification Worksheet Draft.docx” in
“worksheets.zip”), list the assets needed for each business
process in the Assets Used column.
4. Each process should be documented and have a priority
assigned to it. Next, transfer the priority rankings to your Asset
Identification Work sheet. Now you know which assets are the
most critical to restore and warrant the most expense and effort
to secure. You also have the documentation to back up your
security actions for each item.
5. The final step is assessing existing threats. Table 2-6 shows
examples of ways to evaluate some types of threats and suggests
ways to quantify them. On the Threat Identification and
Assessment Works sheet (see “Threat Identification and
Assessment Worksheet Draft.docx” in “worksheets.zip”), list
each possible threat. Be sure to consider threats from
geographic and physical factors, personnel, malicious attack or
sabotage, and accidents. Also, examine the facility diagram you
created for flaws in the facility layout or structure that could
pose a threat, such as air-conditioning failure or loss of
electrical service. Assess the probability of occurrence (POC)
on a 1 to 10 scale, with 1 being the lowest and 10 the highest,
and assign those ratings in the POC column for each threat.
Table 2-6 Threat evaluation and quantification methods
Type of threat
5. How to quantify
Severe rainstorm, tornado, hurricane, earthquake, wilderness
fire, or flood
Collect data on frequency, severity, and proximity to facilities.
Evaluate the past quality and speed of local and regional
emergency response systems to determine whether they helped
minimize loss.
Train derailment, auto/truck accident, toxic air pollution caused
by accident, or plane crash
Collect data on the proximity of railroads, highways, and
airports to facilities. Evaluate the construction quality of
transportation systems and the rate of serious accidents on each
system.
Building explosion or fire
Collect data on the frequency and severity of past incidents.
Evaluate local emergency response to determine its
effectiveness.
Militant group attacking facilities, riot, or civil unrest
Collect data on the political stability of the region where
facilities are located. Compile and evaluate a list of groups that
might have specific political or social issues with the
organization.
Computer hack (external) or computer fraud (internal)
Examine data on the frequency and severity of past incidents.
Evaluate the effectiveness of existing computer security
measures.
6. Next, using the Asset Identification Worksheet (see “Asset
Identification Worksheet Draft.docx” in “worksheets.zip”),
determine which assets would be affected by each threat. List
those assets in the Assets Affected column of theThreat
Identification and Assessment Work sheet. For an electrical
outage, for example, list all assets requiring electricity to
operate; for a hardware failure, list all assets a hardware failure
would disrupt, damage, or destroy.
7. In the Consequence column, enter the consequences of the
6. threat occurring, using the following designations:
· Catastrophic (C)—Total loss of business processes or
functions for one week or more. Potential complete failure of
business.
· Severe (S)—Business would be unable to continue functioning
for 24 to 48 hours. Loss of revenue, damage to reputation or
confidence, reduction of productivity, complete loss of critical
data or systems.
· Moderate (M)—Business could continue after an interruption
of no more than 4 hours. Some loss of productivity and damage
or destruction of important information or systems.
· Insignificant (I)—Business could continue functioning without
interruption. Some cost incurred for repairs or recovery. Minor
equipment or facility damage. Minor productivity loss and little
or no loss of important data.
8. Next, rate the severity of each threat in the Severity column,
using the same designations as in the preceding list for
consequences (C, S, M, or I). You derive these ratings by
combining the probability of occurrence, the asset’s priority
ranking, and the potential consequences of a threat occurring.
For example, if an asset has a Critical (C) priority ranking and a
Catastrophic (C) consequence rating, it has a Catastrophic (C)
severity rating. If you have mixed or contradictory ratings, you
need to re-evaluate the asset and use common sense. A terrorist
attack that destroys the facility and kills half the staff might
have a probability of occurrence (POC) of only 1 (depending on
your location), but if it happened, the consequences would
definitely be catastrophic. Even so, because of the low POC,
you wouldn’t necessarily rank its severity as catastrophic.
9. Finally, on theThreat Mitigation Worksheet (see “Threat
Mitigation Worksheet Draft.docx” in “worksheets.zip”), list
assets that are ranked as the most critical and threatened with
the highest severity. In the MitigationTechniques column, list
recommendations for mitigating threats to those assets. For
example, to mitigate the threat of an electrical outage damaging
a critical server, you might suggest a high-end uninterruptible