Information Technology (IT) Security Implementation

Computer

IT Security Implementation

Provide a summary of the actual development of your project.

Because small corporations have to work under conditions of conflicting information technology in many instances, the requirement of maintaining these systems details entails far too many time-consuming processes that have to be carried out. This allows for the business to work in a logical order and promotes a more logical approach to the making of business decisions. The end result is organizational progress and consistent profitability. Thus, the lack of having an IT Security Policy Plan in place may keep the organization from reaching its organizational potential. This project's main objective and expected outcome entails designing a network security plan for implementation and then detailing the process of implementing the program. The purpose is to address the various aspects of having a written and enforceable technology security policy as well as describing an overview of the necessary components for an effective policy to remain functional. The intention is to provide enough detail for a reader of this policy to gain the necessary understanding of the underlying processes, methodologies, and procedures that would be needed to initiate the development for the small corporation's system -wide IT Security Policy.

When developing an IT Security Policy Plan, it is important to keep in mind that the 'defense in-depth' model which entails the company not being overly reliant on one single principal means for protection (or layer). Instead, this particular design will take into consideration the development of the security program that has the potential capability to provide multiple layers of defense in order to ensure a maximum level of protection for the organization's data and resources and will minimize the potential for data compromise. As is the expectation of any policy creator, the organization should keep in mind that an IT Security Policy Plan can only protect data from known or existing information compromising processes or other exploits. All organizations' network data and systems are potential targets for hazardous exploits, however, with an effective Information Technology Security Policy Plan, this implementation plan should enable the network administrator to effectively detect blatant or less obvious anomalies in the current or in future network traffic. Therefore, the organization will have the ability to take proper steps toward mitigation of the potential problem, i.e., implantation of this proactive vs. A reactive system.

This project proposal defines a viable IT Security Policy Plan for any small business network that has thirty computers or less with three or less servers and that has an operating range of services that include traffic from Web-based applications, e-mail, and an application database. The E-mail system for smaller organizations will require continual security upgrades based on risk factors the current lack of e-mail security will affect the overall system performance.

Include a precise description of your project.

This project entails delivering an IT Security Policy Plan that would serve to meet the company's most critical elemental needs. The policy has the objective of identifying all of the necessary detailed policies and procedures, rules and process methodologies that everyone who uses or accesses the organizational computer resources must adhere to which will ensure more reliable confidentiality, integrity, and availability of the organization's data and resources. The main advantage of this process will document an organization's security posture as well as describe and assign functions and responsibilities, grant authority to security professionals, and identify which incident and response processes and procedure needs to be followed.

It must be understood that all security-related decision's made or fail to be made determine how well and how secure or insecure the organizational network will be. The functionality of the organization's network will provide insights into how easy or difficult the network will be to use. Part of this implementation process will also take into consideration the organization's security objectives and goals. This will make effective use of the collection of all security tools so that administrators will check for any new restrictions to impose.

Security and ease of use are supposed to be inversely proportional. There will never be a 100% completely secure system. The underlying objective is to concentrate on reducing as much risk as possible while at the same time not bogging down system resources. Network security has the intimidating task of protecting all members of the organization from all potential threats. Consider the responsibility in organizations such as banks and financial institutions, insurance companies, brokerage houses, consulting and governmental contractors and agencies, hospitals or medical facilities, laboratories, internet and television service providers. Other companies that have to provide security services include utility and chemical companies and universities. Security takes on new meanings in each of these situations because of each industry's unique requirements.

Include an expanded discussion of your review of other work done in the area.

Network security for either internet or internal networked infrastructures has been required to deliver three main objectives seamlessly. The small business atmosphere requires that these basic security concepts, confidentiality, integrity, and availability all must be met. IT Security Policy Plans have historically allowed organizations to address these needs by clarifying processes of authentication, authorization, and nonrepudiation." Other networking plans may or may not address these needs because network security means different things to different organizations. For example, one administrator may consider illegal network access to be a stalled computer communication system process similar to those perpetrated on Yahoo a few years ago while another administrator may see the problem to mean the execution of a highly placed spy bot. In each case, the solution to the network security problem would entail a completely different solution based on the administrator's position.

It is critical to understand the significance of work in the area of network security. There have been instances of children at the high school level that were attaining poor overall grades still having the ability to gain unauthorized access to totally secured network infrastructures at the department of defense, the department of transportation and other highly secured environments. These kids know exactly how and what to do because these adolescents have literally grown up with this new networking technology. Kids today generally understand the underlying concepts of network security very well. Add the threat of more sophisticated network hackers and professional terrorists and the reality of whole foreign nation's who need some competitive advantage and the concept of computer criminals and network intruders take on new meanings. Administrators have to be aware of the plethora of techniques of breeching network security such as probes, scans, account compromise, root compromise, packet sniffers, denial of service attacks, exploitation of system trust, basic malicious code implementations, and the many other internet infrastructure attacks. Of course, the real threat to network security in the majority of cases is not some world class hacker, it is usually a typical employee that utilizes an unsecured password or forgets to log off in the evening. A viable and effective IT Security Policy Plan provides a network security engineer the proper tools to address all of these concerns and more. AMR Research has in the past relied on expert-level analysts that have the ability to evaluate trends in the market and therefore be able to offer guidance to organizations in need of VPN and SSL connections. Protecting the organizational intellectual property is a key organizational objective in the proper institution of this IT Security Policy Plans will be mission critical.

Include an expanded discussion of your Rationale and Systems Analysis for the project.

To expand on the Rationale and Systems Analysis, the focus will be in network setup. The underlying goal is to address as many system access points with the intent of securing these various points of security breaches. For example, a single node that may not even have any highly secure data on it directly can still be access point for the entire network and allow unauthorized access to the entire organization's mission critical information. The idea is to create a plan that will keep seemingly innocuous data points from compromising the computer system.

Every single node is an access point that can provide data such as hardware capabilities, software available, operating and network system configuration data, type of network connection and router points, system or individual phone numbers, and most important, access and authentication procedures currently in place. In the hands of a capable individual, this type of information can provide enough data to enable unauthorized individuals to obtain access to the more mission critical data, files and programs needed to secure the system. Even in fun, hackers have established games or contests with the sole intention of gaining system access information with techniques like trashcan diving or social engineering. It is unbelievable how often security information like passwords, access control files and keys, company or personnel data or whole detailed encryption algorithms. The key here is that no organization that utilizes open ended networking infrastructure or who utilizes the internet is immune to these types of networking security breakdowns.

Project Goals and Objectives:

Review the list of the goals and objectives of your project and explain why you did or did not accomplish them.

The project entails relying on the Open Systems Interconnect (OSI) Model defined by the International Organization for Standardization (ISO). The goals and objectives are to first create a Baseline Security Level and also to manage to Real-Time Security Metrics. This goal entails the objectives of defining an executive and corporate wide audit of the existing data security process and evaluating organizational performance for all major components and key security metrics to verify that they do or will meet industry standards. Next come the objectives for systematically developing sourcing and supplier criteria for potential or future purchasing agreements of all new products and services.

The second priority goal would entail defining and executing assessments of application-based security systems and process on a periodic schedule. This is mission critical because of the implications for potential threats from viruses in either files or e-mails. These types of worm, trojan or other viral infection in servers has the potential bring the entire system down. E e-mail security will need consistent and affective scanning to eliminate or reduce the opportunity of unauthorized access to organizational systems that could damage company operations. The main objective would be to create viable e-mail monitoring policies consist with documentation for managing all internal and external e-mail traffic. The next objective for this goal would be to evaluate all hosted or Software-as-a-Service (SaaS) applications such as Google Apps, Google Documents, or any others process application based on cost and convenience and statuary licensing policies.

The third goal would be to create a scenario that is consistent and can maintain necessary security standard compliance needs. The initial objective of this goal is to clearly define the SSL as a company protocol for wireless and the well placed WiFi network transmitters and routers throughout the company to promote optimal communication capabilities with the safest number for security needs. The next goal objective is to take into consideration the potential for growth and defining security standards that will be able to evolve with and for application level and operating system upgrades.

Project Timeline: Explain why you did or did not meet the timeframes set for your project.

Completing the project on time and within budget is always a positive expectation. In this case, the expectation set forth by forecasting and anticipating some expectations and unforeseen delays is a timeline to completion of 90 days. This phase of the process allows for the documentation and testing of the mandatory benchmarking needs of the new IT Security Policy Plan. Documentation as a new system requirement is often overlooked as a necessity because it is time consuming, but the drafting of a verbal blueprint of the existing levels of security across applications, operating systems, servers, and network integration points is critical to the upkeep of the system. So all though the process adds man hours of time, the overall success of the system and the ability of the system to evolve requires the additional step. There will be some additional time in man-hours for internal resources such as cross-functional teams that have the responsibility to assist in measurement of key security metrics and real-time dashboards development.

An additional six months will be required to create and test the application security strategy which will evaluate applications, servers, and e-mail security and then offer viable security updates. Another 3 months will be needed for support for the IT staff and senior management. The finance and functional department leaders will also be updated to ensure that the applications are managed properly. Total time will be one year.

Project Development: Explain what your project actually accomplished. Explain each of the following:

Problems encountered and how they were solved

One of the most blatant problems encountered was that the staff of the company was not as well versed in network protocol as should be expected. Having a staff that is not well versed in the overall system could lead to many security breakdowns from accidentally giving up a password to downloading viruses through the email process. This system was discovered and solved by creating an additional step in the final implementation process. An all employee mandatory awareness training will be added. This process will address the many new and existing security awareness concerns of the organizational staff. The system security team and administrator will conduct this training and that pretty much will help ensure that the program will have a better chance at a successful outcome. This training will be provided at different levels so as not to overburden minor staff and not to underwhelm major staff. For example, executives, high level managers and system administrators, security officers and all of the individuals with access to organizational data of a secure nature will have a very different training than factory level employees. Additionally, staff training should be re-run on a periodic basis such as a bi-annual schedule and all new hires should be given the training. To ensure compliance, staff that has completed training will be required to sign a written certification statement which will help the security officer and team enforce with management the company security policies.

Reasons for changes made to your original plan

The first phase of the project was focused on enabling measurement of the level of security present. The audit specs needed to be altered to include cost factors for first security audit. One of the least considered concerns other than obvious infrastructure gaps is the affordability justification. Fundamental principle yield is different based on class of service and can be defined at the high-priority classes during peak periods of demand. But this audit did not take into consideration the low periods of demand when discount classes attract higher levels of demand. System capacity and cost have historically stopped certain testing obligations because of infrastructure investment. It is difficult to test for things that may or may not happen, but it is also difficult to justify stopping a company from expecting return on their investment. The IT Security Policy Plan will be reevaluated for this phase to gather associated costs of new software, server, workstation, and network hardware compared to utilizing existing hardware and infrastructure with only software migration as a second option as well as justifying keeping system administration in-house or outsourcing.

Unanticipated requirements or components that needed to be resolved