You are working for an IT consulting firm eSolution. Amid-sized company recently hired eSolution to examine the securityaspects of the entire operations of the company and asked eSolutionto help develop industry standard security measures and variouspolicies that protects company’s information and operationssecurity. The following describes the operations of thecompany:
1. The Company provides a range of high-tech products toits customers in the US.
2. The headquarter and manufacturing facilities arelocated in one location in Boston and there are sales offices inmultiple cities in the US.
3. The company uses a website for its customers toobtain product information and to place orders.
4. The company also allows customers and employees usewireless devices to connect to company’s webserver.
5. The company maintains a database to hold data aboutits customers, products, pricing and salesetc.
6. The company has an email server to handleemails.
7. Confidentiality, integrity of products design andpricing are extremely important and only employees with securityclearance can access these information.
8. The company has an intranet to handle communicationsand operations within the company.
9. The information transmitted over the intranet andinternet must be secured (encrypted)
10. The web server, database server and email servermust be available 24/7 for customers and employees.
11. Majority of the employees are not technicallyproficient, have no training in information security and they arenot likely to read a document that exceeds one page inlength.
12. The headquarters and manufacturing facility is in alarge building that has a security station manned by a guard 24hours a day.
13. Each employee is issued a photo ID badge with amagnetic stripe. The facility has a card reading system that candetermine if an employee is authorized to access the facilityduring specific time periods.
In your proposal, you will need to analyze variousrisks, assess vulnerabilities, provide suggestions for implementingdifferent access controls (including authentication andauthorization), develop necessary security policies such aswireless devices policy, confidentiality policy etc. and achecklist should be developed to help the guard check security anddeal with any exceptions to the policy that arise. Also includedare recommendations of either symmetric or asymmetric cryptosystemfor secure communications, use of digital signature, digitalcertificate, and PKI; policy and procedures on how to handlesecurity incidents as well as the security recommendations for thecompany’s internal computer network and how the company shouldconnect to the Internet (this includes necessary hardware andsoftware, training etc against all known threats to the company’scomputer network). The company’s computer network consists of adatabase server, web server, email server and user machinesseparated into three LANs: corporate, sales andsupport.
Before you develop various policies, it is importantthat you search and look at some examples of some of the securitypolicies (such as AUP. BCP, DRP, etc on the web using a searchengine) that you will be developing.
Expert Answer
Answer to You are working for an IT consulting firm eSolution. A mid-sized company recently hired eSolution to examine the securit…