system security

Memorandum – Devon Accounting Sydney Office

To: Staff

From: Director Andre Jacobs

RE: IT SECURITY ISSUES AND REQUIREMENTS

Dear all

As you probably already know, the new Devon Accounting office is being relocated.

With this change of location and thinking about the greater security of our current and prospective customers, the company's steering committee decided to hire an IT security consultant.

This hiring aims at the best structure of our security systems so that we can protect the data with customers, employees and all our database.

This decision was also made, after realizing some issues which needed to be investigated our system and procedures, such as:

1. Data loss during a recent malware attack on the company’s network which affected the company economically

2. Some of the operating systems used by staff are old and difficult to get support (Application and Operating Systems Patches)

3. Some of the staff are given remote access to but no monitoring is done, and no controls are in place (Remote access controls)

4. Staff have been receiving too many spams and malicious mails (Email filter and web content)

5. Network services such as printing and scanning down frequently due to Server issues (capacity and networking equipment)

6. Several laptops have gone missing from the office (Physical Security)

7. An occurrence of black out due to storm resulted in the whole systems to go offline resulting in productivity loss which was severe to the company (UPS)

8. Staff has been using easy to remember passwords and there have also been instances where a staff had written the password in a sticky note and placed it in the computer screen. Staff are also not locking their workstation in their lunch break. Serious issues can arise when the staff involved is responsible for processing payments and invoices (Password policies and authentications).

9. IT department is having difficulties dealing with issues relating virus, worms, and malware. Staff are using their personal USB in company’s workstation and accessing external websites which may have contained malicious codes (Firewall updates)

10. Some staff also access company’s network and Intranet via wireless devices. Staff are not happy about the speed being too slow or taking too long for the information to download (Wireless security and wireless access points)

11. Employees are using their personal wireless devices to store business data.

12. One new management headache created by cloud computing is the fragmentation of the files stored. There is no consistency in the storage of these files. Files are stored on Dropbox, Google Drive, or OneDrive. Backing up all this data from different locations, has become complex and difficult.

Besides these key points, the company's management is concerned with possible data breaches caused by employees who normally access data from their mobile devices or remotely.

For these and other reasons, it is critical that we review our current security policies and prepare a detailed security plan and investigate what actions and measures can be taken.

We count on the collaboration of all during this process to assist IT security consultant to conduct a security analysis and recommendation on the controls to be implemented.

Regards,

AJ.

Bill Simmons responsibilities (Appendix 2):

Responsibilities included:

· installing and configuring computer networks and systems

· identifying and solving any problems that arise with computer networks and systems

· budgeting for equipment and assembly costs

· assembling new systems

· maintaining existing software and hardware and upgrading any that have become obsolete

· monitoring computer networks and systems to identify how performance can be improved

· working with IT support personnel

· providing network administration and support

Current Cyber Security Controls (Appendix 3):

Below are the details of security controls implemented by Bill Simmons at Devon Accounting 5 years ago.

Appendix 4

current Security Policy

for

DEVON ACCOUNTING

This Security Policy document is aimed to define the security requirements for the proper and secure use of the Information Technology services at Devon Accounting. Its goal is to protect Devon Accounting asset and users to the maximum extent possible against security threats that could jeopardize their integrity, privacy, reputation and business outcomes.

This document applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services. Compliance with policies in this document is mandatory for this constituency.

The security policy was created to follow the legal and ethical standards and to meet the obligations under the Privacy Act and Australian Privacy Principles.

The IT Assets Policy section defines the requirements for the proper and secure handling of all the IT assets at Devon Accounting.

The policy applies to desktops, laptops, printers and other equipment, to applications and software, to anyone using those assets including internal users, temporary workers and visitors, and in general to any resource and capabilities involved in the provision of the IT services.

1. IT assets must only be used in connection with the business activities they are assigned and / or authorized.

2. Every user is responsible for the preservation and correct use of the IT assets they have been assigned.

3. All the IT assets must be in locations with security access restrictions

4. Active desktop and laptops must be secured if left unattended.

5. Access to assets is forbidden for non-authorized personnel.

6. All personnel interacting with the IT assets must have the proper training.

7. Users shall maintain the assets assigned to them clean and free of accidents or improper use. They shall not drink or eat near the equipment.

8. Company’s laptops, PDAs and other equipment used at external location must be periodically checked and maintained.

9. The IT Technical Teams are the sole responsible for maintaining and upgrading configurations. None other users are authorized to change or upgrade the configuration of the IT assets. That includes modifying hardware or installing software.

10. Special care must be taken for protecting laptops, PDAs and other portable assets from being stolen. Be aware of extreme temperatures, magnetic fields and falls.

11. When travelling by plane, portable equipment like laptops and PDAs must remain in possession of the user as hand luggage.

12. Whenever possible, encryption and erasing technologies should be implemented in portable assets in case they were stolen.

13. Losses, theft, damages, tampering or other incident related to assets that compromises security must be reported as soon as possible to the Information Security Officer.

14. Disposal of the assets must be done according to the specific procedures for the protection of the information. Assets storing confidential information must be physically destroyed in the presence of an Information Security Team member. Assets storing sensitive information must be completely erased in the presence of an Information Security Team member before disposing.

The Access Control Policy section defines the requirements for the proper and secure control of access to IT services and infrastructure at Devon Accounting.

This policy applies to all the users, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.

1. Any system that handles valuable information must be protected with a password-based access control system.

2. Any system that handles confidential information must be protected by a two factor -based access control system.

3. Discretionary access control list must be in place to control the access to resources for different groups of users.

4. Mandatory access controls should be in place to regulate access by process operating on behalf of users.

5. Access to resources should be granted on a per-group basis rather than on a per-user basis.

6. Access shall be granted under the principle of “less privilege”, i.e., each identity should receive the minimum rights and access to resources needed for them to be able to perform successfully their business functions.

7. Whenever possible, access should be granted to centrally defined and centrally managed identities.

8. Users should refrain from trying to tamper or evade the access control in order to gain greater access than they are assigned.

9. Automatic controls, scan technologies and periodic revision procedures must be in place to detect any attempt made to circumvent controls.

Password Control Policy

The Password Control Policy section defines the requirements for the proper and secure handling of passwords in the Organization.

This policy applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.

1. Any system that handles valuable information must be protected with a password-based access control system.

2. Every user must have a separate, private identity for accessing IT network services.

3. Each identity must have a password at least 5 characters long.

4. Sharing of passwords is forbidden. They should not be revealed or exposed to public sight.

5. Whenever a password is deemed compromised, it must be changed immediately.

6. For critical applications, digital certificates and multiple factor authentication using smart cards should be used whenever possible.

7. Identities must be locked if password guessing is suspected on the account.

The Email Policy section defines the requirements for the proper and secure use of electronic mail at Devon Accounting.

This policy applies to all the users at Devon Accounting, including temporary users, visitors with temporary access to services and partners with limited or unlimited access time to services.

1. All the assigned email addresses, mailbox storage and transfer links must be used only for business. Occasional use of personal email address on the Internet for personal purpose may be permitted if in doing so there is no perceptible consumption in the Organization system resources and the productivity of the work is not affected.

2. In no way may the email resources be used to reveal confidential or sensitive information from the Organization outside the authorized recipients for this information.

3. Using the email resources of the Organization for disseminating messages regarded as offensive, racist, obscene or in any way contrary to the law and ethics is absolutely discouraged.

4. Use of the Organization email resources is maintained only to the extent and for the time is needed for performing the duties. When a user ceases his/her relationship with the company, the associated account must be deactivated according to established procedures for the lifecycle of the accounts.

5. Privacy is not guaranteed. When strongest requirements for confidentiality, authenticity and integrity appear, the use of electronically signed messages is encouraged. However, only the Information Security Officer may approve the interception and disclosure of messages.

6. Outbound messages from corporate users should have approved signatures at the foot of the message.

7. Attachments must be limited in size according to the specific procedures of the Organization. Whenever possible, restrictions should be automatically enforced.

Threat and Risk Assessment of current asset (Appendix 5):

Techniques Used

In determining risks associated with the for Devon Accounting, the team utilized the following model for classifying risk:

Risk = Threat Likelihood x Magnitude of Impact

T-1.8.1_v3

System Security - Assessment Task 1 v6, Last updated on 06/09/2019 Page 18

Project task

Your task is to prepare a comprehensive report for Devon Accounting which must include reviewing the current security policies to preparing a detailed security plan and providing a recommendation on actions and measures to be taken.

Determining the critical business requirements of the network is the first step in developing the security and controls design of the Devon Accounting network, as it means understanding what we need the network to achieve. Careful consideration must be given in the early stages as it will reap rewards later in the design, by identifying and addressing out the problems early.

To begin reviewing organizational security policies and procedures of the Devon Accounting network, you will need to:

1. Identify security requirements for Devon Accounting by reviewing the business requirements

2. Identify current security threats for Devon Accounting

3. Recommend a solution to the threats identified

4. Determine the need for the update in security policy for Devon Accounting. The updated policy must meet the obligations under the Privacy Act and Australian Privacy Principles.

5. List the job description for the IT security personnel

6. Recommend a methodology for performing security tests to these solutions

Task 2: Develop security plan

To begin developing a security plan for Devon Accounting, you will need to:

2. Evaluate risks and threats associated with the investigation (threat assessment matrix)

3. Recommend the security controls to be implemented. Update security policy and document the changes made. The security policy must follow the legal and ethical standards and must meet the obligations under the Privacy Act and Australian Privacy Principles. References for legislation and regulation could be considered from:

a. Australian Privacy Principles (‘APPs’).

b. APP 11 and Information Technology Act 2014

c. Commonwealth Copyright Act 1968

d. Commonwealth Fair Work Act 2009

e. Information Privacy Act 2000

f. Information Technology - Code of practice for information security management

g. ACS Code of Ethics

4. Recommend a solution to the security threats identified and prepare a security plan

5. Investigate and review security strategy with security-approved key stakeholders (Auscert)

6. Document the changes made

Your supervisor will provide assistance and feedback throughout the various stages of this report.

1. Marking Scale

1. Introduction

Current-state architecture, engineering and operational practices in the cyber security domain focus largely on compliance to one or many regulations, directives, policies or frameworks at Devon Accounting. Devon Accounting resource and augment these practices by incorporating traditional information security concepts and principles, and attempt to “build security in” to the development of IT systems, while the operational domain provides security services, detects and responds to incidents, and analyzes collected data to identify trends and patterns to improve existing security controls and services.

This report applies to every one of the clients at Devon Accounting, including transitory clients, guests with impermanent access to administrations and accomplices with constrained or boundless access time to administrations. Consistence with approaches in this report is compulsory.

The security strategy was made to keep the legitimate and moral guidelines and to meet the commitments under the Privacy Act and Australian Privacy Principles.

2. Security Requirements

.

Devon Accounting organizations and people that use computers can describe their needs for information security and trust in systems in terms of three major requirements:

· Confidentiality: controlling who gets to read information;

· Integrity: assuring that information and programs are changed only in a specified and authorized manner; and

· Availability: assuring that authorized users have continued access to information and resources.

These three requirements may be emphasized differently in various applications. For a national defense system, the chief concern may be ensuring the confidentiality of classified information, whereas a funds transfer system may require strong integrity controls. The requirements for applications that are connected to external systems will differ from those for applications without such interconnection. Thus the specific requirements and controls for information security can vary

\

3. Current Security Threats

(Appendix 1): Please see below the memorandum sent by email from the Company’s Director.

Memorandum – Devon Accounting Sydney Office

To: Staff

From: Director Andre Jacobs

RE: IT SECURITY ISSUES AND REQUIREMENTS

Dear all

As you probably already know, the new Devon Accounting office is being relocated.

With this change of location and thinking about the greater security of our current and prospective customers, the company's steering committee decided to hire an IT security consultant.

This hiring aims at the best structure of our security systems so that we can protect the data with customers, employees and all our database.

This decision was also made, after realizing some issues which needed to be investigated our system and procedures, such as:

13. Data loss during a recent malware attack on the company’s network which affected the company economically

14. Some of the operating systems used by staff are old and difficult to get support (Application and Operating Systems Patches)

15. Some of the staff are given remote access to but no monitoring is done, and no controls are in place (Remote access controls)

16. Staff have been receiving too many spams and malicious mails (Email filter and web content)

17. Network services such as printing and scanning down frequently due to Server issues (capacity and networking equipment)

18. Several laptops have gone missing from the office (Physical Security)

19. An occurrence of black out due to storm resulted in the whole systems to go offline resulting in productivity loss which was severe to the company (UPS)

20. Staff has been using easy to remember passwords and there have also been instances where a staff had written the password in a sticky note and placed it in the computer screen. Staff are also not locking their workstation in their lunch break. Serious issues can arise when the staff involved is responsible for processing payments and invoices (Password policies and authentications).

21. IT department is having difficulties dealing with issues relating virus, worms, and malware. Staff are using their personal USB in company’s workstation and accessing external websites which may have contained malicious codes (Firewall updates)

22. Some staff also access company’s network and Intranet via wireless devices. Staff are not happy about the speed being too slow or taking too long for the information to download (Wireless security and wireless access points)

23. Employees are using their personal wireless devices to store business data.

24. One new management headache created by cloud computing is the fragmentation of the files stored. There is no consistency in the storage of these files. Files are stored on Dropbox, Google Drive, or OneDrive. Backing up all this data from different locations, has become complex and difficult.

Besides these key points, the Devon Accounting resource and augment company’s management is concerned with possible data breaches caused by employees who normally access data from their mobile devices or remotely.

For these and other reasons, it is critical that we review our current security policies and prepare a detailed security plan and investigate what actions and measures can be taken.

We count on the collaboration of all during this process to assist IT security consultant to conduct a security analysis and recommendation on the controls to be implemented.

Regards,

AJ.

Bill Simmons responsibilities (Appendix 2):

Responsibilities included:

· installing and configuring computer networks and systems

· identifying and solving any problems that arise with computer networks and systems

· budgeting for equipment and assembly costs

· assembling new systems

· maintaining existing software and hardware and upgrading any that have become obsolete

· monitoring computer networks and systems to identify how performance can be improved

· working with IT support personnel

· providing network administration and support

Current Cyber Security Controls (Appendix 3):

Below are the details of security controls implemented by Bill Simmons at Devon Accounting 5 years ago.

4. Risk and Threat Assessment

Current security threats and explain the threats

Risk Assessment Matrix

Explain the Risk to Organisation

5. Solution to the Threats

Website resource:

Cisco: http://www.cisco.com/cisco/web/solutions/small_business/resource_center/articles/secure_my_business/network_security_checklist/index.html

Technology Options

List the recommended Solution

6. Security Policy Updates

Current security threats

Explain the threats

Risk Assessment Matrix

Security Threats for ACA Technology are of two types. These are internal threat and external threat. Internal threats for security are that employees of organizations might go against any venture and violate terms as well as conditions of office (Silva et al. 2014). This might create great nuisance in work process. When office of ACA Technology will be under CCTV surveillance, employees will find difficulty in imposing any internal threat upon workplace. Therefore, data can be protected and it will remain in safe hands. It is essential for every venture to arrange highest level of security in workplace. This will assist in removal of threat from office atmosphere. Data security is a main criterion for any security related tasks. External threat includes cyber-crime that is being by hackers. In order to save information from being lost, cyber security is a significant criterion. This will help in delivering its best in process of work. Information as well as strategies will become more vulnerable to threat. Therefore, immense emphasis is required to be laid upon securing each systems of this office for better work process.

Explain the Risk to Organisation

Risk needs to be assessed properly so that security system is implemented properly. Use of CCTV, Burglar Alarm Kit and DISCENTIS can be used to secure data for this venture.

Identify options for using Internal (Internal Technical Team) and External (Vendor’s technical support) expertise for technologies (Cisco Routers, Microsoft Windows etc.,) used and to recommend solution to the threats identified

In the opinion of Webb et al. (2014), there are different ways for enhancing the security system of organisation. The tracking can be done in different ways. The cameras are the first element to track the people or places for security purpose. The data of the organisation are generally stored in the computer in the form soft copy. The cloud system is newly implemented for bringing the employee, supplier and another element closer to each other. The ACA technology can use this system to track the employee from anywhere and anytime. This would make the system more secure and the privacy of the data can be maintained. The technology is provided by the cisco router which has the good quality of sound, picture, and voice etc. One of the technologies which have introduced by cisco router is the architecture for the mobile network. It has the facility of VPN and another system for secure transmission of data via mobile in a secured way. Thus, ACA technology can use this technology to track the customer and supplier along with the employee. As considered by Silva et al. (2014), there are so many threats to the security system, mostly for the application in the system. The one type of attack is the privileging the system of an attacker, here the attacker keeps an account on a system and uses it to prioritize it. Once the level of priority has been achieved, the hacker would be able to code in the system. The cloud technology is the solution for this kind of issue where an organisation can track the person with a system only. The access to HTML page is very easy for a hacker, so they modify the HTML script and whole design look awkward. The solution of this problem can be solved by coding only. The technology for the security system comes in the package that all the important functionalities are to be integrated into one single device. That would resolve the multiple security issues whether it is software hacking or hardware replacement with the purpose of taking internal information. The cross side scripting language has the capability to change the behaviour of the website. Some of the users are doing it by injecting a client-side script in the webpage that changes the behavior of the elements of a website.

7. Security Testing Methodology

Methodology for performing security tests.

Website resource:

· Security Testing Methodology