Project Plan

profileProfArgeol
week_-_5.rar

Week - 5/Report.docx

justify and support the relationship between infrastructure and security as it relates to this data-collection and analysis company.

For a data collection and analysis company, the data is their most valued asset. Hence its security should be of utmost importance to the company.  The overall value of the data depends on its context i.e., how it is used, how often it is used, what value it derives for the company and so on. The value of Information Technology to any company is its ability to store, present, manage, analyze and protect the data to support the company do its business operations with the help of it. Some types of data have inherent value for example profiles of a large number of customers. Some data have derived value for example; large amount of data relating to customer’s buying behavior analyzed using social media tools during the period of black Friday. Some data might be worth more and some data would be of lesser value. Data collected and analyzed from various sources related to customer satisfaction and feedback, sales enticements, competitive differentiation etc all have value. However the ultimate value of the data is quite complicated as it’s built from a composite of all these sub-dates. When more and more people within the company access the data and derive information out of it, makes the data more valuable. How good the data is secured, depends on various factors and one of the biggest factors is he IT infrastructure of the organization. Following are some reasons through which we can determine the relation between infrastructure and data security : a) Loss of data confidentiality: The data which is being transmitted over a network is always at a risk of being eavesdropped by an unauthorized party. The weak controls over access to the company network might result in data stored on the company's servers and workstations subject to unauthorized access. b) Loss of data integrity: If the network nodes are not setup properly and secured, the data in transit between these network nodes may be modified deliberately or otherwise. This would result in the Data may be modified in transit between network nodes, deliberately or otherwise. This might result in the system receiving the data process it incorrectly or perhaps malicious data might get transmitted. However the end result is a loss for the company. c) Denial of Service: The network infrastructure of the company relies on the continued functionality of all the network links that connects to its component codes. The disconnection of a network or slowdown of a network link may prevent the system from providing necessary services for the data analysis and collection process to effectively continue. d) System compromise: The network infrastructure includes routers, Modems, DNS Servers, other communication and connectivity devices are at risk of being compromised and their resources being used by unauthorized party for illegitimate purposes as denial-of-service (DoS) attacks or bandwidth theft occurs.

Present the rationale for the logical and physical topographical layout of the planned network.

Current - Before up gradation, the network is straightforward like that of any of small business. Both logical and physical layout consist of mail server, database, firewalls, and so on i.e. all those elements which form a backbone of data-collection company. Planned - In planned one, the company is moving from 1 floor to three floors. To avoid complexity, the layout will remain the same. On each of the floor the physical and logical layout remains identical. Only at the hub connection, the entire wired are gathered and tied at one place. For Wi-Fi related equipments, router with heavy-loading capability is required. The entire server will be shifted to third floor, so that it is not easily accessible to any client and unauthorized person.  

Design a logical and physical topographical layout of the current and planned network.

Current - Physical layout

Logical

Planned – Physical

Logical is more or less same like that of current’s logical diagram which more number of devices and wiring.

Illustrate the possible placement of servers.

Enhanced availability and resiliency - Hardened devices are placed as shown in the figure so as make sure that company has optimal service availability and remove any system and interface-based redundancy. Network Foundation Protection - As shown in the figure, device hardening, and control and managment plane protection is ensured throughout the entire infrastructure to maximize availability and resiliency. Public Services DMZ - This portion depicts the placement of devices to ensure endpoint server protection, intrusion prevention, stateful firewall inspection, application deep-packet inspection and DDoS protection. Secure mobility - Under this, VPN protection is a priority for mobile users. It performs the persistent and consistent policy enforcement independent of location of staffs. It integrates web security and malware defense systems. Internal Access - The equipments are arranged as shown in figure to ensure email-web security, stateful firewall prevention and global correlation and granular access control. Threat detection and management - this part ensures intrusion prevention and infrastructure based telemetry so as to identify and mitigate threats. Edge protection - This placement ensures traffic filtering, routing security, firewall integration and IP spoofing protection to discard anomalous traffic flows, prevent unauthorized access and block illegitimate traffic.

Create and describe a comprehensive security policy for this data-collection and analysis company.

Classification of Data Any company’s user having authoritative access to data of the company may, modify data’s classification. The user may be in a position to change classification of data if there are sufficient and justifiable reasons of doing so. Resources doing so will be held strictly responsible for their changes. When a new data is created, it should be classified as “Company Only” data till it user reclassifies it as per one’s modifications. Users are held strictly for any change in classification they do. Classifications for existing company’ data are given below:

· Company’s business information (memos, financial documents, planning documents etc) should be classified as "Company Only";

· Company’s customer data (contact details, contracts, billing information etc) should be classified as "Company Only";

· Network management data (IP addresses, passwords, configuration files, etc.) should be classified as "Confidential";

· Human resources information (employment contracts, salary information, etc.) should be classified "Confidential";

· Published information (pamphlets, performance reports, marketing material, etc.) should be classified "Shared";

· E-mail between Company’s employees should be classified "Company Only"; and,

· E-mail between Company’s employees and non-Company employees should be regarded as "Unclassified".

Classifications: Roles and Responsibilities

1. Responsibility of the user to:

· Know one’s own clearance level and to understand what are the rights and limitations associated with that clearance

· Ensure all the data one’s going to work on is correctly classified;

· Ensure one is familiar with the restrictions associated with the data one’s working on and

· ensure all the data one works with is protected properly.

2. Responsibility of all system owners and system administrators to:

· determine the security level for all users.

· proper verification of the equipment user is going to work with.

· installation of the equipment.

3. Responsibility of each divisional manager is:

· Getting approval on clearance for employees.

· Clarifying the classification of data on systems.

· Clarifying the classification of equipment.

· Understanding and implementing the policy.

4. Responsibility of the Security Officer to:

· approving all classifications

· Maintaining a list of all classifications

· Approving the final layout of the company’s network.

· controlling and managing all trusted points

Compliance

1. Any unauthorized user accessing data, device, equipment or a location with insufficient privileges can face disciplinary action.

2. Any user who is allowed to access a system that he/she controls on behalf of someone else with insufficient clearance can face disciplinary action.

3. Any person who is trying to connect to an equipment for which one is not classified to access the network with an inappropriate part of the network can face disciplinary action,

4. Any person who is transmitting data over the network without specific privileges can face disciplinary action.

Ethernet Switch

Web server

Mail server

Database server

File server

Admin Hub

Hub

Hub

Hub

Router

Company Server

Admin Group

Router-Firewall

Mail Server

192.168.2.1

Web Server

192.168.2.2

File Server

192.168.2.3

192.168.2.4

192.168.2.5

192.168.2.6

192.168.1.1

192.168.1.2

192.168.1.3

192.168.1.4

192.168.1.5

192.168.1.6

192.168.2.0

192.168.1.0

Sensor Base

Cisco Security

Intelligence

Operation

Secure

Mobility

INTERNET

Access

Distribution

Core

WAN

Edge

Internet Edge

MetroE

HDLC

Internet

Distribution

Switch

Cisco

ASA

Internet

Border

Router

Web

Server

Email

Security

Email

Server

Web Security

Network Foundation

Protection

Secure Mobility

Threat Detection and

Mitigation

Edge Protection

Internet AccessPublic Services

Enhanced

Availability and

Resiliency

Week - 5/Security-2007-Compatible.mpp

Week - 5/Security.mpp