Underground HipHop.com Security Policy

CMGT/245
June 24, 2013

Underground Hiphop.com All things hip hop can be found at undergrounhiphop.com or by visiting the store. Bloggers and consumers can log onto the portal to share what they know and what they think on the blogs and forums, find the times and dates of local concerts, or purchase hip hop paraphernalia. It is important to keep in mind the best interest of the consumers and the company by ensuring both are well protected. Team A has reviewed the goals and plans underground hiphop.com must meet to protect the business and its consumers. The company’s goal is to track inventory, make sure all financial transactions are safe in both the store and online location, and to make sure the website is PCI compliant so the customers will not put the consumer’s identity in danger of theft. In an effort to make the necessary changes, team A has reviewed the physical security section, access control section, the network security section of the security policy, and the security of information systems.
Physical Security Physical Security viewpoints remain concerned with measures designed to deny or provide access to individuals from a physical access point for Underground HipHop.com. This can stand as simple as a locked door or as complex as a biometric entrance into the facility. Additional steps will have signs posted clearly defining rules and regulations simplified of the company’s physical security policy, without providing specific information about the security division for the company stands located within the building. The company will make sure that there is not a point of failure to compromise the security of Underground HipHop.com. The goal of physical security is to ward off potential security risks of an intruder gaining access to the facility.

Physical properties can stand restricted within a facility based on the rights of the individual employees through controls. Security can reduce risks not eliminate them entirely. The goal of physical security within offices, rooms, and facilities is to provide that initial layer of security or to deter threats. Key access to a facility can remain challenging to manage with user turnover. Electric access control can exist easily managed through automation, controlling the use restricting times within a work schedule or off work hours. Security of the facilities and entry controls measure and provides altogether physical security measures within the establishment to keep the ongoing prevention through the design of physical barriers while determining the physical access areas and their potential for unsecure access. Providing isolated delivery and loading areas for work access can reduce the risks by eliminating entrance and exits points. This will provide benefits from a financial perspective of the security cost for managing these areas as well. The company can also evaluate some strategic design approaches to find the best fit for Underground HipHop.com Company plus while keeping their budget manageable. Some requirements suggest that HipHop.com Company can limit the access to the delivery and loading areas. Keeping this area from key core functions for the business where company business information stays stored. Physical Security requirements will change as the business grows. Taking the initiative to stay ahead of the risks that may develop with the evaluation of the processes and procedures regularly will inhibit some physical security risks.
Security of Information Systems The security of information systems may focus primarily on certain areas such as the workplace, equipment, connection tools, and devices such as laptops. Workplace protection should be taken seriously seeing that most companies have been experiencing higher threats by hackers, as most know, unauthorized users can be the most dangerous at times. Therefore, it is a good idea to have effective security practices in place that will create a balanced technology along with personal management. In the case of unused posts and cabling, this can present structural vulnerabilities, such as preventing cool air from reaching your hot spots on your system. They can also present fire threats because of them just lying around near areas that may generate heat, so it is very wise to discard of post and cabling no longer in use. One other area that can help in the security of information systems would be equipment maintenance because how many times have we seen or even used equipment that was not up to standard or just outdated. Just by simply keeping the network system functioning at its best can help to provide security because hackers are often looking for faulty, weak, and outdated equipment. This allows easy access to the information that hackers may be looking for, but if one properly maintains the equipment it makes it difficult for the hackers to gain access. The next area of concern would be portable or wireless devices, such as laptops and smartphone that have access to the Internet and e-mail. VPN protects information traveling by way of air or wire which will keep information from being intercepted as well as controlling the traffic flow on this type of equipment. The network and server equipment should also be closely looked at because it is also at risk to vulnerabilities, the first being remote access. If you are trying to login to the web server one must ensure that the remote location is secure through the use of tunneling or encryption protocols. It would also be a good idea to put in place some policies that indicates privileged access to the server and who must have permission, just by taking precautions as such will help to create security of information systems.
Access Control Access control is an integral part of network security. Discussed here are four different methods or types of these access controls. All four of these methods are a form of authentication requiring one of three factors; something known, something owned, or something you are. The first of these methods is user enrollment or identification. This method asks for a username and password to give access to a specific network, folder, or computer. This method uses the factor of something known, like a password and username. A username/identification authenticates a user’s rights to a network, which ties into the next method of access control. Authentication is the next method used in access control; authentication uses one or more factors. An example of something you are is the fingerprint. Another example would be a hand print, voice recognition, or a retina scan. The other factor, something owned would be a key card, key, or perhaps a Common Access Card. (Security +) The two other access controls used are more for the privileged users or those who need access to classified network data or working from home or travel. Privileged and special account access is a form of access control used to grant users a higher authorized account to either make changes to the network servers, computer, or printers, or to make changes to user account information from anywhere on the network. If one does not have these privileges attached to their account, they will get an access denied variation shown when trying to access specific information. Remote access is a form of access control on a more complex level. Remote access is a variant of privileged access, where a user is assigned to a group that has remote access rights. Whether it is remote desktop or Virtual Private Networking (VPN), that individual has to have the rights to remote onto another network computer as an administrator, or remote into the network drives from an outside Internet Service Provider (ISP). Access control coupled together with physical security creates a more robust security called defense in depth.
Network Security Network security and network access are essential in protecting business and the consumers who log on every day to place order, communicate with others and voice their opinions. There will be many online users adding to the blogs and placing orders, and for them it is recommended to use a traditional network access server (NAS). The NAS will use the typical log on and authentication process to verify the identity of the users, and only allow access to different parts of the sites based on log-in credentials. In addition to these processes NAS will also be “implementing anti-threat applications such as firewalls, anti-virus software and spy-ware-detection programs. NAC also regulates and restricts the things individual subscribers can do once they are connected” (Rouse, 2006). A stricter approach to network security will be applied to in store employees and all other employee who will utilize the network to access work related functions such as entering and tracking inventory. For all employees implementing a Network Admission Control (NAC) is required. The NAC “is a method of bolstering the security of a proprietary network by restricting the availability of network resources to endpoint devices that comply with a defined security policy” (Rouse, 2006). A combination of physical and logical network access control devices will be used in order offer as much security as possible. Using complex log on requirements, including user name and passwords in combination with site keys or pictures to will identify and authenticate non-employee users. There will also be a certain level of security requirements needed by all users to have on their computer before allowed access. The same will apply to employees; however, there will be an additional requirement of employee ID numbers alongside employee badges to use before granting access. Locking all equipment inside the store with an alarm system with each individual CPU stored in a locked box with those keys locked in the manager’s office inside a time lock safe.

References
Merkow, M. S., & Breithaupt, J. (2006). Physical Security Control [University of Phoenix Custom Edition eBook]. : A Pearson Education Company. Retrieved from e.g. University of Phoenix, Chapter 8 Physical Security Control website.

Physical Security. (2013). Retrieved from http://www.csoonline.com/topic/221490/physical-security

Rouse, M. (2006). What is network-access control (NAC)?- Definition from whatis.com. Networking information, new and tips- SearchNetwork.com. Retrieved June 16, 2013 from http://searchnetworking.techtarget.com/definition/network-access-control/