The increase in demand for data driven service at GDI is the source of emerging security and system integrity risks. The firm needs to implement policies to address these issues to reduce the impact of the associated risks. The critical assets requiring policy protection include the 81 remote facilities, data encryption and transmission infrastructure, the data processing center, the network architecture, and the outsourced services. The security architecture required to implement these policies follows along the lines of the current network architecture. The levels required include security at remote locations, data transmission security, datacenter security, and security for the web and network servers.
The specific policies identified for the task are in six threat areas. Policies under the remote facilities are computer security policy and software security policy to address network access, and internal or external cyber attacks. Under data transmission, the policies identified include wireless security policy, storage devices security policy and email security policy. These policies address the data transfer risks associated with the network. The data processing center needs a hardware security policy and a network security policy to control physical access and network access on location, and from remote areas.
Policies related to the server room include the server-room security policy, web-server security policy, and the network-server security policy. These policies aim at ensuring the servers do not suffer physical damage or damage from cyber attacks. The system architecture will require a systems architecture security policy to provide a coordinating platform for the network policies. Finally, outsourcing risks require an IT services outsourcing security policy to ensure thorough vetting of vendors and identification of mitigation measures required to address risk exposure due to the vendors.
GDI’s operations are growing more reliant on IT systems. This reliance is increasing data related risks for the company (Goedeking, 2010). Increasing traffic and demand for data services both internally and externally also means that there is need for policies to address the efficiency and maintenance of the IT infrastructure to ensure that all services proceed optimally (Jeffrey & Norton, 2006). This document presents twelve critical policies for GDI necessary for the creation of a secure IT Environment.
Summary of Critical Company Assets Requiring Protection
GDI has a number of assets that require protection. These systems require protection because of several reasons. Some of them could be sources of potential breach, while others carry sensitive information, which can harm the company if outsiders get access (Dube, Berner, & Roy, 2009). In addition, some are critical for the efficient operation of the company’s data systems. The list below shows the network architecture systems considered vulnerable to security and performance threats.
- The 81 remote facilities linked through the WAN are a potential sources of threats.
- Data encryption and transmission infrastructure are susceptible to interception (Goedeking, 2010).
- Data processing centre, with the twin IBM System/390 mainframes are critical to essential operations.
- The network architecture, with centralization as a policy for a large and growing organization is a risk (Goedeking, 2010).
- The outsourcing of services can expose the firm to the risks of the vendor (Dube, Berner, & Roy, 2009).
General Security Architecture of the Company
The proposed general security architecture has the following elements
- Remote sites security applications
- Data transmission security (encryption and transmission)
- Data center security (mainframe, microcomputer cluster)
- Web server and network server security
Specific Security Policies
The design of the security architecture relies on the current network architecture. The table below presents the policies that address each of the issues raised as part of the security architecture or as part of the method of reducing the vulnerabilities in the IT systems.
|Threat Area||Policy Title||Policy Description||Policy Rationale|
|Remote facilities||Computer security policy||This policy will cover the use of company computers. It will address what constitutes safe use and policy violations. The thrust shall be that a computer assigned to a company employee is in their care and unauthorized persons should not use it. If necessary, such as during maintenance, the company employee will be present at all times to ensure the user does not access unauthorized files stored in local drives or in the local network||This policy stems from the need to ensure no one from outside the organization has access to the computers in any of the 81 remote facilities since it is possible, to access the data centers remotely from these locations.|
|Software security policy||The software security policy will address the procedures for acquisition and installation of software. It will also deal with procedures for dealing with software problems. This policy will address the dangers associated with downloaded or self-loaded software because they can cause problems such as phising, installation of tracking software, malware, spyware, and viruses in general. It will also spell out the management regimes of antivirus software.||There is a serious risk of cyber attacks launched on entire networks. The existing networks are especially vulnerable given the multiple points of access in the remote facilities, internet via web servers, and in the data centers.|
|Data transmission||Wireless security policy||The wireless security policy will address all the wireless communication protocols the company uses. In particular, it will establish the procedures of establishing access, locations of access, and the password systems in use and its management.||The need for this policy comes from the realization that wireless networks are subject to abuse if there is no regulation in place. The network can fall into the hands of non-company operators who would cause unnecessary clogging of the network resources leading to reduced communication speeds|
|Storage devices security policy||In all facilities, there will be need to address the storage of data. This policy will give guidelines and expectations related to the storage and retrieval of data from all computers and data warehouses. It will declare the use of use of portable storage devices such as thumb drives and memory cards as unacceptable to reduce the risk of data pilferage.||This policy comes from the realization that the most serious risk to the company’s data comes from the employees themselves. Storage devices, if unregulated, can form the conduit for data pilferage and introduction of malicious software to the company’s network.|
|Email security policy||This policy shall require all employees to use official company email for all official matters. This policy will aim at ensuring that there is no data loss when an employee leaves the company. All the official communication will remain intact. In addition, this policy will limit access to the open internet for email access because of the data loss risks associated with this.||Email is a powerful tool for communication because of its spontaneous nature. This is a serious security lapse because an employee or unauthorized person may use email for file transfer or for the introduction of malicious software to the company’s network.|
|Data processing center||Hardware security policy||The hardware security policy in the data centers will aim at maintaining the physical integrity of all components of the data centers. The twin IBM System/390 mainframes are susceptible to damage such as physical breach of connecting cables, damage from water, and the elements, and crushing of network components. This policy will address the maintenance practices required to maintain the physical integrity of the systems, and the required defenses to keep off physical objects that can damage the components of the data processing center||The rationale for this system is that the data processing centre contains very many pieces of critical equipment, which can malfunction due to physical damage. The center is the nerve-centre for all operations hence the need to keep the systems safe.|
|Network security policy||The Network security policy will address all internal and external network connections. In particular, it will establish the procedures for use in the establishment of all future network connections, the file transfer and encryption protocols, the firewall standards, and the procedures that will apply during network expansion.||As things stand, there are vulnerabilities associated with the existing network. These gaps, created by the use of external service providers need to be filled somewhat, and the best people for the job are those who manage the network internally. Preparing for network expansion is also important because standardization of procedures will make it easy to undertake system wide upgrades.|
|Servers||Server room security policy||The server room policy will control physical access to the servers, the personnel authorized to access the room and their conduct while in the room. This policy will address the security gaps that arise from unregulated access to the server rooms. It will spell out the security clearance procedures required to access the server room, as well as apportion responsibilities required to perform the different levels of security check.||The server rooms need an access policy to keep unauthorized persons from accessing the facilities. These places are critical nodal points in the network which if breached can lead to catastrophic loss of services.|
|Web server security policy||The web server policy will institute server access rules and create the necessary protocols such as account assignment procedures. It will cover maintenance and use of the servers, both on location, and in remote locations.||The need for a policy to guide the use of the web server comes from the realization that the web server plays a critical role in enabling and controlling internet access. This policy is necessary to ensure that the company’s local elements of the ecommerce and web platforms remain secure|
|Network server security policy||The policy on network server security will address the rules and procedures of using the network server. The policy will define the server protocols, security features, implementation of firewalls, and the designation of security clearance levels. It will generally limit full-scale access of files in all sections to create security barriers that can limit damage or access to files by unauthorized persons.||The need for this policy is because the network server routes requests to access the databases, hence it is the logical point in the network to put up defenses in case there is a breach.|
|System architecture||System architecture security policy||The aim of this policy will be to reduce the risks associated with centralized data systems. The policy will coordinate the implementation of the security features such as methods of isolation of the remote sites if a breach occurs in one of them. This will include the securing and recovery of the local data and its reinstatement. In addition, the policy will spell out the workings of the server and network policies from a coordinating level.||The need for an overarching policy stems from the vulnerabilities of centralized systems. The systems should have the capacity of isolating a breach or protecting the critical elements of the network if the breach is beyond control, or if its source is not immediately clear.|
|Outsourcing||IT services outsourcing security policy||Outsourcing IT requires clear policy guidelines that transcend the immediate financial incentives, and looks at the business objectives. This policy will create the basic standards a vendor must meet before the company outsources. This will include their infrastructure security, assessment of risk exposure in the event of a catastrophic failure on their systems, and contract and service review mechanisms. The policy will aim at ensuring the company limits its exposure on any one front, and increases its capacity to recover from any catastrophe.||The need for a specific policy to tackle security issues related to outsourcing emanates from the realization that outsourcing IT services to third parties exposes the company to all the threats and vulnerabilities of the vendors. As such, there is a need to document and plan for any eventuality because at one point or another, a catastrophic failure will occur.|
Table 1: Security Policies.
The Implementation of these policies will enhance the overall information security of GDI since they dress all the critical threat areas. They will give GDI more advantage in its operations by reducing risks and increasing recovery options in the event of a catastrophic failure in the systems.
Dube, L., Berner, C., & Roy, V. (2009). Taking on the Challenge of IT Management in a Global Business Context: The Alcan Case – Part A. International Journal of Case Studies in Management , 7 (2), 1-13.
Goedeking, P. (2010). Networks in Aviation: Strategies and Structures. Heidelberg: Springer.
Jeffrey, M., & Norton, J. F. (2006). MCDM, Inc. (A) IT Strategy Sychronization. Kellog School of Management , 1-9.