Access Control Proposal Purpose
This course project is intended to assess your ability to comprehend and apply the basic concepts related to information security management, such as the following:
• The ability to discern when a risk assessment should be performed and carrying out the task
• Understanding user or customer access requirements, whether remote or local
• Using a layered security approach to establish and maintain access controls
• Working with other departments, such as the human resources department, to identify and implement methods to prevent unwarranted exposure to information by inappropriate personnel
Your ability to execute the tasks within these information security domains and others will be evaluated against the learning objectives as identified and described in previous units of instruction for this course.
Learning Objectives and Outcomes
Successful completion of this project will ensure that you are capable of supporting the implementation and management of an information systems security framework. To be able to do so, you need to be able to do the following:
• Relate how an access-control policy framework is used to define authorization and access to an information technology (IT) infrastructure for compliance.
• Mitigate risks to an IT infrastructure’s confidentiality, integrity, and availability with sound access controls.
• Relate how a data classification standard influences an IT infrastructure’s access control requirements and implementation.
• Develop an access control policy framework consisting of best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access.
• Define proper security controls within the User Domain to mitigate risks and threats caused by human nature and behavior.
• Implement appropriate access controls for information systems within IT infrastructures.
• Mitigate risks from unauthorized access to IT systems through proper testing and reporting.
Required Source Information and Tools
You will require the following resources to complete this project:
■ Scenario entitled: Integrated Distributors Incorporated (provided beginning on page 4 of this document
■ A computer with:
o Access to the ITT Tech Virtual Library
o Access to the Internet
o Microsoft (MS) Office Suite—MS Word, MS PowerPoint, and MS Visio or any other comparable editing, presentation, and drawing software o Note-taking systems, such as pens, paper, and printers
The course project has a checkpoint strategy. Checkpoint deliverables allow you to receive valuable feedback on all your interim work done. In this project, you have two such ungraded checkpoint deliverables, in Units 3 and 7, where either you may discuss your queries with the instructor or receive feedback from the instructor. The checkpoint deliverable ensures refinement of the final deliverables, if incorporated effectively. The final deliverable for this project is a professional report that you need to submit in Unit 11.
unit Purpose of the checkpoint Expected deliverables from the student
Unit 3 ■ Understanding requirements
■ Clarification on project deliverables
■ Discussion on project concerns and progress up to this checkpoint
■ A review of the course project’s outline and schedule for completion Prepare an outline of issues and potential solutions and discuss with your instructor/chief information officer (CIO).
Unit 7 ■ Clarification on project deliverables
■ Discussion on project concerns and progress up to this checkpoint
■ A review of the course project’s outline and schedule for completion Draft the report and the PowerPoint presentation to discuss with your instructor, the CIO.
User identification, authentication, and authorization are essential in developing, implementing, and maintaining a framework for information system security. The basic function of an information system security framework is to ensure the confidentiality and the integrity, as well as the availability of systems, applications, and data. Certain information security implementation and management knowledge is required of network administrators, IT service personnel, management, and IT security practitioners, such as information security officers, security analysts, and domain administrators.
You are provided with the scenario named “Integrated Distributors Incorporated” beginning on page 4 of this document to complete this project. You play the dual role of an IT architect and IT security specialist working for Integrated Distributors Incorporated (IDI), a multinational organization with offices in several countries. Your instructor for this course plays the role of the chief information officer (CIO).
Your peers play the role of selected technology staff. Each of the organization’s locations is operating
with different information technologies and infrastructure—IT systems, applications, and databases.
Various levels of IT security and access management have been implemented and embedded within
their respective locations.
Your goals as the IT architect and IT security specialist are to:
■ Develop and submit a comprehensive report addressing the learning objectives and your solutions to the issues within the scenario.
Use the following checklist to support your work on the course project:
■ I have considered access control policy framework to define authorization and access to an IT infrastructure for compliance within the course project.
■ I have considered the influence of the data classification standard in IT infrastructure’s access control requirements and implementation.
■ I have defined proper security controls within the User Domain to mitigate risk and threats caused by human nature and behavior.
■ I have developed and implemented an effective plan to mitigate risks to an IT infrastructure’s confidentiality, integrity, and availability with sound access controls.
■ I have developed an access control policy framework consisting of best practices for policies, standards, procedures, and guidelines to mitigate unauthorized access.
■ I have implemented appropriate access controls for information systems within IT infrastructures.
■ I have followed the submission requirements and necessary details for writing the vulnerability scan report.
Scenario: Integrated Distributors Incorporated
Integrated Distributors Incorporated (IDI), a publically traded company, has its home office located in Billings, Montana. IDI has more than 4000 employees in the following locations:
■ Billings, Montana, 600 employees
■ Sao Paulo, Brazil, 580 employees
■ Warsaw, Poland, 975 employees
■ Sydney, Australia, 340 employees
■ Tanzania, Africa, 675 employees
■ Japan, China, and Hong Kong, 700 employees
IDI has accounts with major market retailers, Federal governments, and large State governments. IDI operates a fleet of trucks in each country and has network interface agreements with subcontractors for freight forwarding, storage, and delivery.
IDI is responsible for the movement of goods, from multiple manufacturers and distributors to its clients, in a timely and efficient manner using cost-effective methods. Alternatively, IDI may transfer this responsibility to one of its JVs or SAs, if it is more cost-effective and the income differential is within acceptable limits.
IDI is also under pressure for several of its competitors in the logistics industry. The competitive market is driving IDI to improve its routes, delivery methods, fleet vehicles, and other facets of its business to increase profits (a strategic goal) and to reduce costs. The company realizes that the information technology infrastructure has been neglected for some time and that many operating locations are running on outdated hardware and software. On several occasions last year, IDI suffered no less than four network compromises through one of its JV Internet sites that led to the disclosure of sensitive and strategic information on contracts and mergers.
The chief information officer (CIO) made a strategic presentation to the board of directors and executive management to first assess the aging infrastructure and then, develop a multi-year phased approach to have all sites (except for JV and SA) on the same hardware and software platforms. Now that the funding has been approved for the infrastructure assessment, the CIO has asked you to update your passport, and buy some new luggage.
Information about the assessment provided to you indicates that the current state core infrastructure (switches, routers, firewalls, servers, and so on) must be capable of withstanding 10-15% growth every year for the next seven years with a three-to-four-year phased technology refresh cycle.
There is a hodgepodge of servers, switches, routers, and internal hardware firewalls. Your review also disclosed that much (almost all) of the infrastructure is woefully out-of-date in terms of patches and upgrades. This operational neglect has unduly increased the risk to the network, in terms of confidentiality, integrity, and availability. Since this will be a multi-year technology upgrade project,
something must be done to reduce IDI’s exposure to vulnerabilities to increase the overall security
profile and reduce the risk profile.
Your inventory and review of the data center indicated the following requirements:
■ 14 Hewlett-Packard (HP) Unix servers
o Four with operating system 8.5 (one of them is used for application development) o Four with operating system 9.X
o Six with some version of 11.X (one is used for test and production migration staging)
■ 75 Microsoft (MS) Windows 2003 servers (equally split between production, test, and development)
o Application servers 5 o Exchange e-mail servers 5
■ Core applications include the following:
o MS Exchange e-mail
o Oracle financials for accounting and financial systems
o Logisuite 4.2.2 installed approximately 10 years ago, has not been upgraded, however over 350 modifications have been made to the core engine and the support license agreement has expired. Renewing this product will be extremely expensive, and the progressive upgrading to the current version is cost- and time-prohibitive. o RouteSim, a destination delivery program, is used to simulate routes, costs, and profits. However, it is not integrated into Logisuite or Oracle financials to take advantage of the databases for real-time currency valuation and profit or loss projections. o IDI has not standardized on the office automation hardware and software. If a manager likes HP, he buys HP whereas another manager may acquire Toshiba. Out of the 200 workstations in the headquarters, 200 are HP, 150 are Toshiba, 175 are IBM, 50 are Dell, and the rest are Apple PowerBook, although no graphics or Computer-Aided Design (CAD) software is available to maximize the PowerBook. o Office software ranges from several word processing packages of various vintages, such as Lotus SmartSuite, early versions of MS Office 5, WordPerfect 7.0, and PC-Write. None of the packages is capable of integration with the other, and transferring files often cause corruption when opened in a package other than the original creation. o Telecommunication has not been updated since the company moved into its current headquarters 15 years ago. This has left many of the new features for telecommunication lacking and not integrated with the customer service database to improve call management efficiency. The non-descript system was acquired for a service provider that is now out of business and limited spare parts are available. o Even though polices exist that prohibit the introduction of personal devices, such as Blackberry or Blueberry, iPods, and iPhones, many of the executives have had local administrators install the clients on their unsupported, non-standard personal laptop computers, and workstations that interface with the Internet. The devices have little, if any, protective measures to prevent exposure and loss of data or network compromise.
o The original wide area network (WAN) was designed by MCI in early 2000’s and has not
been upgraded. Several data rate increases have occurred in the Asian offices, and Brazil has been distressed. During peak periods, usually between September and March, the capacity is insufficient for the organization. Many times, the Internet customers are lost due to dropped connections and abandoned shopping baskets, further reducing growth and revenue.
o Telecommunication works through a limited Mitel SX-2000 private automatic branch exchange (PABX) that only provides voice mail and call forwarding.
Sao Paulo, Brazil
While earning frequent flyer miles and increasing your personal growth, your arrival in the Sao Paulo office is followed by many pleasant surprises. You discover that the Brazil office is a model of standardization. The Brazil office has the following setup:
■ 30 MS Windows for file and print
■ 4 Linux (UNIX) servers for major production applications
■ 2 Linux (UNIX) servers with the Internet zone with Juniper high-speed switches and routers
■ A storage area network based on EMC CLARiiON
■ SAP R/3 (ECC6-Portal based apps)
■ Materials management
■ IBM Lenovo T 600 standard portable computers
■ Up-to-date information security policies, although in Spanish
■ The telephone system provided by SP Telesis—one of the four competing providers in the metropolitan city
■ The NEC NEAX 2400 series PABX used for internal and external communications
No problems were noted here, but it was good to get out of the office and see the world. Although, two technicians are available for this network, vendors are unwilling to sign service agreements or commit to defined standards for service response. Both technicians are qualified with one being a Microsoft Certified Systems Engineer (MCSE) who has little experience in the WAN environment. The Sao Paulo office is connected to the corporate office through an on-demand virtual private network (VPN) connection with a common six-character password that is used by all office personnel and the shipping and receiving departments. While sitting in the cafeteria one afternoon, you hear one of the technicians discussing increasing the privileges of the shipping supervisor’s account. The shipping supervisor claimed that he would be more efficient if he could see inbound receipts based on sales and had privileges equivalent to the general manager. No anti-virus or malware is installed, as hackers have never attacked the location.
Strategically staged to assist IDI for major growth in the Middle East and Asia, the office in Poland is the home portal for expansion and geographical client development.
Although this is the largest office, based on employees, this office has minimally sufficient computing power to stay afloat on day-to-day activities. The hardware and other networking essentials of this office are as follows:
■ 86 MS Windows servers for file, print, and basic network connectivity
■ 6 Qantel UNIX servers for major production applications
■ S&S, the primary freight forwarding application is about 10 years old and does not interface with the McCormack dodge accounting and finance system
■ 6 Web servers (4 are primary and 2 fail during clustered load balancing)
■ IBM Infinity hardened server serving as a proxy for the network
■ Other infrastructure include 6 Cisco switches to break the department up in to transaction zones- Catalyst 49XX series
o Shipping and receiving
o Internet, with self-service pages for small to medium customers
o Intranet to keep staff trained on various aspects of changing custom laws and regulations o Global Positioning System (GPS) performance monitoring to control the large fleet of trucks with location transmitters o A separate access enclave is used for unmonitored access from strategic alliance and JV partners.
■ A public wireless network is sponsored in the cafeteria running WPA (Wi-Fi Protected Access) with no password
■ Telecommunication is a Siemens Saturn series Private Branch Exchange (PBX) approximately 8 years old, and some of the features have become faulty. The desktop phones have not been replaced or upgraded during this time.
Mareck, the son-in-law of the shipping director, has the technical responsibility for network operations, information technology (IT) security, and end user computing. Mareck earned his bachelor’s degree in horticulture and worked as a hothouse tender before marrying Loueasa, who is responsible for IDI’s accounts receivable department. Although the accounts always balance, noticeable period end adjustments seem necessary since Mareck and Loueasa bought their new multistory home.