project
Information Security Assessment Dammam Technical College
MSIS Capstone Project – CS699
Progress Report
Information Security Assessment for Dammam Technical College
Presented by:
Student Reg#
Student Name:
Project Advisor
College of Computing & Informatics
SAUDI ELECTRONIC UNIVERSITY
Table of Contents
iiiTable of Figures
Table of Tables iv
Revision History v
1. Introduction 1
1.1 Course Description 1
1.2 Organization Overview 1
1.3 Scope 1
1.4 Business Goals 1
1.5 Organization Structure 1
1.6 Security Requirements 1
1.7 Document Conventions 2
1.8 Project Plan 2
1.9 Report Structure 2
2. Literature Review 3
3. IT Architecture Analysis 4
3.1 Identify IT resources: 4
3.1.1 IT assets 4
3.1.2 IT Human Resources 4
3.1.3 Relationship between IT and Business 4
3.2 Characterize the IT network: diagram, topology, protocols used, etc. 4
3.3 Operating Environment 5
3.4 Assumptions and Dependencies 5
4. Identify security threats and security controls. 6
4.1 Identify security threats 6
4.2 List the existing security controls 6
4.3 Evaluate the adequacy of the existing security controls and their efficiency in reducing the risk associated with each security threat. 6
5. Security Evaluation 7
5.1 Risk Identification 7
5.2 Carry out a Risk Assessment using CRAMM (CCTA Risk Analysis and Management Method) 7
5.3 Choosing a security evaluation standard (Common Criteria, etc.) 7
5.4 Carry out the security evaluation strictly following the chosen standard. 7
6. Proposition (and maybe Implementation) of Security Improvements 8
6.1 Propose a suitable security policy 8
6.2 Identify appropriate Security Controls 8
6.3 Propose security controls implementation plan 8
6.4 Propose an appropriate Security Life-Cycle and Security Management Plan 8
6.5 Proposing an appropriate plan to establish a security culture (trainings, Awareness, etc.) 8
6.6 Ethical Considerations in the proposal 9
7. Proposition Nonfunctional Requirements 10
7.1 Performance Requirements 10
7.2 Safety Requirements 10
7.3 Software Quality Attributes 10
7.4 Other Requirements (Optional) 10
8. References 11
Appendix A: Glossary 12
Appendix B: Analysis Models 13
Appendix C: Software and hardware details and technical specifications 14
Table of Figures
ure 1: Orgazation Structuesss………………………………………………………………….8Fig
F igure 2: Gnatt Chart Project Plan…………………………………………….…………..…….10
Fig ure 3: IT Architecture …………...………………………………….…………..……………12
F ure 4: Network Diagram ………...………………………………….…………….……………14
Table of Tables
Revision History
|
Name |
Date |
Reason For Changes |
Version |
|
|
|
|
1 |
|
|
|
|
|
1. Introduction
1.1 Course Description
The capstone course allows the students to review an organization’s needs and address all the challenges involved with implementing and/or changing information technology focusing on information security in a complex organization. Students will analyze organizational objectives and propose a solution and a full implementation plan. The proposed solution must address strategies for overcoming the challenges of information security related projects such as assessing risks, reduction of funding, and keeping the support of executive management. Students will utilize skills gained throughout the program to demonstrate the ability to design an information security project from conception to post deployment.
1.2 Organization Overview
Dammam College of Technology is a one of technical Colleges that created by the technical and vocational Training corporation. As all of technical Colleges, Dammam College of technology goals is to provide the labor market with technically qualified national personnel and meet the needs of the country of these cadres upon which it depend it build its economy. The start of this College was in 1988 with 150 students while according to their website the number last year is more than 4000 students. The College provide technical training in five technological sections which are Electronic Technology, Electrical Technology, Mechanical Technology, Computer Technology and Administrative Technology.
1.3 Scope
Scope of work for Dammam college is starting with admission and registration of applicants, selecting and develop training material, Formation, supervision and follow-up of trainees committees , graduate a qualified trainees within maximum 4 years from theirs program started and finally assure the trainees find a jobs in labor market after their graduate.
1.4 Business Goals
Business goals for Dammam Technical College (DTC) are like most of education enterprise include but not limited to provide students or trainees with knowledge and technical skills that help them to join the labor market, develop learning and training process and material, utilize technology in the learning process, and finally simplify communications within the College. While there some corporate goals that inherent from main College in Riyadh like develop sections materials and develop staff.
IT department in Dammam College provide support for more than 2000 students in addition to more than 400 employees in the College. I have selected this organization because it meets the capstone requirements of having information system, further more education field is very active and vital field that requires implementation of information security due to sensitive of data and dependency on Information system on education process.
1.5 Organization Structure
Actually the College has structure mirror the mother College in Riyadh, so most of its organization refer and depend on main department in Riyadh. However below is a diagram showing the organizations chart of Damam College. My report will be mainly covers information Security that mostly carry out by the computer Center that part of Support Center organization. Below Diagram show the construction chart for Dammam College of Technology.
Figuer1 Organization structure
1.6 Security Requirements
Technical College of Dammam has IT systems that connected to the main office in Riyadh, however they have IT department that has Manager, LAN Admins, Developers, Technical Support, and some of part time employees from computer technology College. From technology point view they have Intranet , IP Telephony, Firewall device routers , layers 3 switch, core switch, wireless controller, VTP server, cloud server and labs that contains workstations. The organization was selected because it is meet the capstone requirements. Security is important for this organization because Information technology and computer system support the organization goals. IT system is important because it not just hardware and software but communications and data that organization depend on for transforming the information. The important of information security in education in general is critical and vital because IT system is holding the data and the College is rely on the IT for storing and processing the information. Each part of Information CIA Triad; confidentiality and integrity and availability; is important and essential in education process. From confidentiality for example the grades of student should not be access or viewed by the right people. From Integrity for example the transcripts, exams result should be accurate and not changed only by authorized people. From availability for example education data, education material and electronic services should be available whenever it’s needed.
1.7 Document Conventions
In this report the following types of conventions are used:
bold font: organization name
Italic font: position for people in organization and notes
1.8 Project Plan
The project start with selecting organization, after receiving the criteria of organization that needed for this capstone from instructor, I have searched and visited many organization till I found this origination. After selecting the organization second task is IT Architecture Analysis for this origination this include identifying IT resource, IT human resource and relations between IT and business. Third part of the plan is to identify the security threats and security for this origination. This include evaluate existed security controls. Fourth action is reflecting all information in this report and provide progress report to the advisor. Five action is doing security evaluation by identifying risks and carry out risk assessment. Sixth section in my plan is proposing or implementing security improvements for the selecting organization. Seventh part of this plan is preparing the final report and implement the advisor comments and recommendations. Final steps is preparing a presentation for this capstone.
Below is a Gantt chart show the Project Plan
Figure 2: GANTT CHART Project plan
1.9 Report Structure
The remaining part of the report has the following sections:
IT Architecture Analysis : that will include Identify It resources like IT assets , IT humman Rsesources and relationship between IT and business. In addtion to Characterize the IT network , Operating Environment and assumptions and dependencies.
Identify security threats and security controls: this section will list security threats, consolidate existed security controls and evaluate the efficiency of existed control in reducing security threats.
Secrurity evalutaion : will go thourgh risk identification, carry out risk assessment , choose a secuirty evalution starndard and finall carry out security evalutaion stricltly following the chosen starndard.
Proposition and maybe implantation of seucirty improvements: in this section I will propose a suitable security policy, Identify appropriate Security Controls, Propose security controls implementation plan, Propose an appropriate Security Life-Cycle and Security Management Plan, Proposing an appropriate plan to establish a security culture, Ethical Considerations in the proposal
Proposition Nonfunctional Requirements: Performance Requirements, Safety Requirements, Software Quality Attributes, Other Requirements.
2. Literature Review
Resource for this report are the following books, I will give brief description about each resource:
1- Brown, C. (2012). Managing information technology. Upper Saddle River, N.J.: Prentice Hall/Pearson. : it will help analyzing the IT Architecture since it provides overview of information technologies used to maximize organizational efficiency and effectiveness.
2- Stallings, W., & Brown L. (2015). Computer Security: Principles and practice. Upper Saddle River, NJ: Pearson Education, Inc. ISBN-13:9780133773927: that help me in identify information security threats, dangers, and risks that organizations face, in addition to the ability to analyze potential vulnerabilities that can impact on IT resources.
3- Dhillon, G. (2007). Principles of information systems security. Hoboken, NJ: John Wiley & Sons.: I will use this book to covers section five of this report that about cyber security issues surrounding an enterprise including securing organizational data.
Note: Additional sources and references will be added in the final version of this report.
3. IT Architecture Analysis
Current IT Architecture at Dammam College of Technology is consistent and support the College business goals. As showing in the diagram below that the organization is depending on IT resources to deploy and achieve its goals. References to IT architecture maturity that including Application Silos, Standardized Technology, Rationalized Data and Modular (Brown, 2012); Dammam College implemented some of these maturity.IT Architecture creation should be an outcomes of combination work between Managers and IT experts however in this organization I found that all decisions related to IT standards , applications and projects taken by the head office. There is no architects, planners or event units in the origination. The IT Department in the origination has shorted in procedures and standards. IT department has support team, and developers. However there is a part times people how work permanently in computer technology section. There is no standard for installing software or upgrade the systems. Expansion of IT to new building or new Operating system done by third party.
Figure 3: IT Architecture
3.1 Identify IT resources:
IT resources in Dammam Technical College including Databases, hardware, Software and IT human resources. I will go in details for each resource. These resources are connected, however the connections is not very strong between some resources but the future growth of the College will enforce the connection to be stronger.
3.1.1 IT assets
IT assets in the Dammam College of technology are many, there is software both application and support software, there are different type of hardware that include end-user, power hardware and services hardware. In the below table I will list these IT assets.
Table 1: IT Assets List
|
Software |
Hardware |
Operating systems |
|
Application software (office) |
Workstations |
windows server 2003 R2 Enterprise Edition SP2 |
|
Web browser |
Wireless access pointes |
windows server 2008 R2 Enterprise SP1 64-bit |
|
Programing application for lab and developers |
TMG firewall Server |
windows server 2012 R2 Datacenter |
|
|
Cisco Telephone over IP |
windows server 2007 Enterprise SP2
|
|
|
Internet security & acceleration server |
windows server 2012 R2 Standard
|
|
|
Hyper Active directory |
Windows 7, Windows 8 |
|
|
Kaspersky server |
windows server 2003 R2 Enterprise Edition SP2
|
|
|
FTP server |
|
|
|
Layer 3 Switches 2900, 3500 |
|
|
|
Web servers |
|
3.1.2 IT Human Resources
Employees in IT department around 14 employees, there is a manager and three other are working as assistances. Technical support team are five persons, there are also five employees are working as developers. There is also five employees belong to Computer technology college working as part time if needed.
3.1.3 Relationship between IT and Business
Relationship between IT and Business is aligned and associated. IT provide the support and services to achieved business goals. Organization is depending on the IT resources in communications and exchange information within the origination and out of origination. Within organization through the Ethernet and over internet to communicate outside the organization.IT system is centralized and Information system decision are implemented by the central IT of Headquarter.
3.2 Characterize the IT network: diagram, topology, protocols used, etc.
Below diagram show the Characterize IT network for the organization. Topology that used in the network is a tree topology. There many Protocols used in the organization but the most common Protocols that used among the organization are: TCP, IP, UDP, POP, SMTP, HTTP, and FTP.
Figure 4 : Network Diagram
3.3 Operating Environment
The operation environment in the origination is different based on the positions. Workstations are either for business or training. Staff are connected to separate through Ethernet to get the services or support. Labs are connected locally and has no internet access. Operating system in all workstation is windows 7 and no clear upgrade procedures. There are many access point devices but there is no strong password policy for it. There is not inventory for software and installation has no security assessment for staff.
Limitation that face IT department is lack of procedures and standards, lack of employees, lack of training and poor construction for organization and mission of organization. .
3.4 Assumptions and Dependencies
Assumptions that could affect the IT Department in Dammam College is poor participation in decision that related to IT. They are totally depend on Head quarter in Riyadh. While dependencies is clear in replacement program for IT assets or upgrade for Operating system. This process done by third party and out of hand IT Department in the College. Outsourcing decision is done by Head Quarter in Riyadh.
4. Identify security threats and security controls.
In information technology, Confidentiality, Integrity and Availability are the three security objective goals. Confidentiality in information technology refers to achieving high levels of protecting information. Information, especially confidential information must not be revealed to unintended party whether that information is online or offline. Since the College relies on electronic information storage and transfer for all transactions, The IT systems stores and handles valuable information that are not limited to personal identifiable information. Third parties who will see this information regardless of the status mean that the information is no longer confidential. The security resources and the strategy used to ensure that information is secure online is the encryption technology. Through appropriate encryption resources and tools, confidential information will not be available to unintended parties. Like all other IT resources, encryption tools will work better when they are in their latest version. When referring to integrity in information technology, the phrase tries to explain information, which is modified before it reaches the intended person. When an IT infrastructure has achieved information integrity, it means that information passing through that system is not modified by third parties before reaching the intended person. Information is required for business processes. For business success, the need to achieve information security goals should not compromise with information available. Information should be available to authorized persons. Authorized persons should be able to access information when needed because they need it for production and efficiency of services. Cyber-attacks always halt one or more of the three main security objective goals. I will go through security threats that may impact the security objectives in the organization.
4.1 Identify security threats
Here I will identify security threats that my impact the objective of security of information in Dammam College of technology. This threats aims to impact the IT resources and may impact on business goals. First the threats that effect the availability, for the hardware the natural threats like fire and earthquake. Also theft may happened in case of poor physical security. For Software Availability may effected by deletion effect or deny of service threats. For Data also availability may be effected by authentication threats that may cause access deny or deleting files. Network and communication by impact by denial of service threats that prevent its availability. Second Threats that may effects Confidentiality. Threats here mainly in software, data and communications. Like make unauthorized copy from software. For communication steal session, threats form insider by able to reach data they should access. Finally threats that effect integrity , could be modifying software program to cause fail of program or system or to execute unrequired tasks. Unauthorized access and ability to modify the data due to lack of security control. Furthermore threats may include web applications attacks, physical threats, inside attack due to lack of policy or procedures, authentication threats.
4.2 List the existing security controls
Security controls any tools, documents or practice that used to manage or limit the risk to the IT resources. Existed security controls in Dammam College are the following:
1- Physical access control: there is gate that ask for credentials to access the College. The server rooms is locked with key and there are cameras inside the room.
2- Technical access control: the Active directory that manage and control access to the network. Passwords for computers and servers. There is cloud server and backup servers.
3- Administrative access control: there is IT asset inventory, user registration for computer use and access.
4.3 Evaluate the adequacy of the existing security controls and their efficiency in reducing the risk associated with each security threat.
When I evaluate the efficiency of Security controls in Dammam Technical College I come out with the following:
Physical Control: there is a weak in the physical security, since the theft may carry out by the insider employee. Also when I visit the server room there was combination lock to access carry door for the server room but the server room key was in the door.
Technical Controls: it is good to have software to manage the password and authentication but there was weak in managing the software policy, I notice that there is no lifecycle for the password which big vulnerability. Also it is good to have backup and cloud server.
Administrative Control: there is no clear standard, guide lines or procedure to control the IT works. However there is registration when the new employee join the organization and he assigned IT assets and these assets register under his custody as part of new hire procedures.
5. Security Evaluation
<Introduce the section>
5.1 Risk Identification
[Based on CS507 Module 7]
<Identify Risks>
5.2 Carry out a Risk Assessment using CRAMM (CCTA Risk Analysis and Management Method)
[Based on CS562 Module 9]
<Risk Assessment>
5.3 Choosing a security evaluation standard (Common Criteria, etc.)
[Based on CS562 Module 8, 10-11]
<Security Evaluation standard selection. You SHOULD justify your choice of the selected standard and describe the reason(s) for selecting this standard and not selecting other standards>
5.4 Carry out the security evaluation strictly following the chosen standard.
<Step by step security evaluation using the selected standard>
6. Proposition (and maybe Implementation) of Security Improvements
<Introduce the section>
6.1 Propose a suitable security policy
[Based on CS 562 Modules 6-7]
<Security Policy>
6.2 Identify appropriate Security Controls
[Based on CS507 Modules 8-10]
<Security Control. You SHOULD justify why you think these are appropriate?>
6.3 Propose security controls implementation plan
[Based on CS507 Modules 8-10]
<Step by step Implementation Plan>
6.4 Propose an appropriate Security Life-Cycle and Security Management Plan
[Based on CS562 Modules 10-11]
<Security Life-Cycle>
6.5 Proposing an appropriate plan to establish a security culture (trainings, Awareness, etc.)
[Based on CS562 Modules 11-13]
<Plan to establish Security Culture>
6.6 Ethical Considerations in the proposal
[Based on CS562 Modules 13-14]
<Discuss ethical aspects>
7. Proposition Nonfunctional Requirements
7.1 Performance Requirements
<If there are performance requirements for the product under various circumstances, state them here and explain their rationale, to help the developers/network designers understand the intent and make suitable design choices. Specify the timing relationships for real time systems. Make such requirements as specific as possible. You may need to state performance requirements for individual functional requirements or features.>
7.2 Safety Requirements
<Specify those requirements that are concerned with possible loss, damage, or harm that could result from the use of the product. Define any safeguards or actions that must be taken, as well as actions that must be prevented. Refer to any external policies or regulations that state safety issues that affect the product’s design or use. Define any safety certifications that must be satisfied.>
7.3 Software Quality Attributes
<Specify any additional quality characteristics for the product that will be important to either the customers or the developers. Some to consider are: adaptability, availability, correctness, flexibility, interoperability, maintainability, portability, reliability, reusability, robustness, testability, and usability. Write these to be specific, quantitative, and verifiable when possible. At the least, clarify the relative preferences for various attributes, such as ease of use over ease of learning.>
7.4 Other Requirements (Optional)
<Define any other requirements not covered elsewhere in the report. These might include database requirements, external (hardware, software, or communication) interface requirements, internationalization requirements, legal requirements, and reuse objectives for the project.>
8. References
<List all books, conference papers, journal articles, websites, etc. used in preparing the content of this report. Provide enough information so that the reader could access a copy of each reference, including title, author, volume/edition number, page number(s), and publication year. Mention complete URLs for websites.>
<The template to be used would be APA style. Newspaper articles are not allowed to be cited. Wikipedia and other non-reliable resources are not allowed>.
Appendix A: Glossary
<Define all the terms necessary to properly interpret the report, including acronyms and abbreviations.>
Appendix B: Analysis Models
<Include, but not limited to, the following analysis models: use-case diagram, class diagram, sequence diagram.>
Appendix C: Software and hardware details and technical specifications
<Include details and technical specifications of the currently used and proposed software and/or hardware.>
Dammam Collage of Technology
Training Sections
Admin and Financial Affairs
Support Center
Training Affairs
Trainees
Administrative Technology
Electronic Technology
Electrical Technology
Computer Technology
Administrative Affairs
Financial Affairs
Technical Affairs
Community Center
Computer Center
Follow up -Unit
Public Relation
Quality Unit
Admission Unit
Research Center
English Language Center
General Study Center
Admission and Registration
Graduate Affairs
Health Unit
Trainees Relations
<Capstone Project> Page i