Free Essay

Security Assessment Recommendations

In:

Submitted By vincehill
Words 1453
Pages 6
Course Project: Security Assessment Recommendations
Vincent Hill
DeVry University Keller Graduate School
Principles of Information Security and Privacy
SE571
Professor Krell
April 15, 2012

Course Project: Security Assessment Recommendations

INTRODUCTION

An organization that specializes in making web site and providing web business solutions is known as Quality web design is. The company’s goal is to help its customers increase consumer generated revenue to Quality Web Design customer web sites. The other business solutions accompanied are accounting, payroll marketing, also parts of the business process and for which it assets are employed. Quality Web Design should be made aware of various security issues, even those that are not common. Identified are two of the potential security weaknesses that require improvement, and the possible remedies for each threat.
The company Quality Web Design provides business solutions to the customers... The circuit used by the company may prove various flaws to security and the hardware and software used have various limitations as Microsoft share point which have limitations in supporting virtualization, up gradation whereas the web server provided by IBM provides various functionalities over the Microsoft web server. The company has a very good hardware, software, network system, the assets used by the company provide the support to the business process but there are many limitations of the hardware, software, assets and the network design they provide the support to the companies by providing web solutions so that they can spread their business through internet. The company processes also include accounting, payroll marketing. The paper will contain the solution to all the mentioned problems that may occur due to the weaknesses.

The business solutions provided by quality web design helps their customers to generate increase revenue. The company also have accounting, payroll marketing, also parts of the business process and for which it assets are employed. For providing the business solution and to support the business process on going in the company, the company has employed many hardware and software and assets. Since the main part of business process include web development and for which the company have a database of over 250,000 images and graphical designs which have to be maintained and secured so for this need the company uses the Microsoft Visual Studio Team Foundation Service (TFS) server that comes with 1 web server, 1 application server and 1 database code repository. The first problem that is accompanied in using the Microsoft Visual Studio Team Foundation Service (TFS) is that there is not the facility to check the time that is spent on a project. Even the company is using the best assets, hardware, and software for the business process but even though there exists various security, hardware, and software weaknesses. These weaknesses are discussed in this write up and also discussed are the solutions that are recommended.

SOFTWARE WEAKNESSES AND RECOMENDATIONS
WEAKNESS:
The Email system used by the company is Microsoft Exchange 2007 email servers that include hub transport servers, 1 mailbox servers and 2 client accesses. The current email system is very strong; however there are some weaknesses that are associated with it. The first deficiency is the system is not able to support virtualization, secondly only a 64 bit windows platform is supported and upgrading is not an option.

SOLUTION: In order to resolve these problems I will suggest IBM mail servers which have all of these features. The company can face huge complications if a new version is released. The upgrade of the software will increase the company’s expenditures. The average size of your mail file impacts how many resources your DPARs need to support your user population. The larger the average mail size, the more resources it takes your DPARs to process tasks. The Router task uses more resources to deliver these messages to other servers, and the Server/HTTP tasks use more resources to deliver these messages to your clients. A user population that sends large mail messages or messages with large attachments is more costly to support than the same population sending smaller messages. Obviously, the more messages that a user community sends the more resources that are needed to support it (IBM)
When you use your email program to check for received mail it will log on to the received mail server usually using the POP3 protocol. The POP server will have an address which can be the same as the domain of the email address such as IBM.net or may be different such as pop.IBM.net. This POP server address must be specified when the mail program is configured. The POP server also requires a password which you can permanently set into your email program or require that you enter the password every time you check mail if others have access to your computer. Some email programs can be configured to automatically check mail every so many minutes and beep if you have new mail. The POP server will return mail to sender if there is no such person (Joe6712 doesn't exist at foo.com). A more modern server protocol known as IMAP is beginning to be used by some ISPs. The standard POP3 system transmits passwords as plain text allowing the possibility that account information could be stolen. Azinet.com states that many systems are now using encrypted communications between user and incoming (POP3) email server to avoid this. Setting up the encryption is an extra step at the user's client software. You can configure your email program to leave mail on the server even after your email program has downloaded it to your computer or to delete mail that has been downloaded. This is handy if you are checking mail from home but want to keep copies of all received mail on your office computer (azinet.com) WEAKNESS: The company uses Microsoft share point as a web server for department document and web sites. The disadvantage in using the Microsoft share point is that it does not provide the document level options like redaction and the document mark ups. SharePoint does not provide this functionality as it relies on its Microsoft Office suite for document manipulation. The other drawback is the lack in providing customization

SOLUTION:
This problem can be solved with implementing various DMS/CMS servers with that of Share

Point. A Content Management System is software that keeps track of every piece of content on your Web site from text, to images, music, video and documents. A major advantage of using a CMS is that it requires minimal technical skill to manage. Users can login and collaboratively create, edit, review, index, search, publish and archive various kinds of media and documents. MLD uses 'Joomla' CMS templates for developing corporate websites, portals, e-commerce sites, not profit and small business websites. A document management system (DMS) is a computer systems used to track and store electronic documents and/or images of paper documents. It is usually also capable of keeping track of the different versions modified by different users. The recommendation for the lack of customization, I suggest usingWSS and MOSS architecture.
With MOSS, it is mandatory to have a Shared Service Provider. This is a collection of application servers that provide shared services out to any portals or sites that need them. These services include:
• Search
• Index
• Audience compilation
• User profiles database
• My Sites
• Business Data Catalogue
• Excel Services Microsoft Office SharePoint Server 2007 can, working with other components of the Microsoft Office 2007 suite of applications, provide the functionality and benefits described previously. However, the amount of functionality derived from an MOSS installation depends on the features implemented and activated, as well as whether or not the MOSS environment is used to extend other building blocks, such as WSS and SQL Server. Figure 1 illustrates the structure of a complete MOSS environment. MOSS provides much of the functionality, but that functionality can be enhanced by the inclusion of other extended capability systems (SUDEV)
MOSS 2007 supports other server-based applications and services with a set of common administrative services, as shown in Figure 2. The primary elements in the common group of services are (as shown in Figure 2, left to right):

References

Andy Nolet, B. F. (2006, June 27). Sizing your IBM Lotus Domino mail servers. Retrieved from www.IBM.Com: http://www.ibm.com/developerworks/lotus/library/domino-mail-sizing/
Ghandi, S. (2008, October 16). THE MOSS ARCHITECTURE . Retrieved from www.Sudev.Info: http://blog.sudev.info/2008/10/mossarchitecture.html
Kearn, M. (2006, June 6). MOSS Architecture and Shared Services. Retrieved from msdn.com: http://blogs.msdn.com/b/martinkearn/archive/2006/06/06/619251.aspx
Unknown. (1998). How To Set Up Email. Retrieved from Azinet.Com: http://www.azinet.com/azinet/mailinfo.htm

Similar Documents

Premium Essay

Security Assessment and Recommendations

...SE571 Course Project:  Security Assessment and Recommendations SE571 Course Project:  Security Assessment and Recommendations Charlie Furze Professor: Eddie Wachter SE571 Principles of Information Security and Privacy Keller Graduate School of Management July 24, 2015 Table of Contents Executive Summary 1 Company Overview 1 Security Vulnerabilities 3 A Hardware Example Title 3 A Software Example Title 4 Recommended Solutions 5 A Hardware Example Solution 6 A Software Example Solution 8 Impact on Business Processes 9 Budget 10 Summary 11 References 12 Executive Summary The executive summary can’t really be completed until the course project is completed. This is because the section should summarize BRIEFLY the entire paper. There should be one or two sentences about the purpose of the report, a one to two-sentence description of the company and then a quick summary of the two vulnerabilities and the two solutions that you have identified. Company Overview Here you should identify which of the two company scenarios you are using and briefly summarize the organizations products or services, and business processes. Two Security Vulnerabilities Software Vulnerability Remember, you need to choose only two vulnerabilities from the three categories: hardware, software and policy. It is recommended that you make them limited in scope and very specific. Also, before starting on this section, be sure you have a very clear...

Words: 1180 - Pages: 5

Premium Essay

Security Assessment and Recommendations

...SE571 Principles of Information Security and Privacy James Smikonis Week 3 Project March 18, 2012 Professor George Danilovics Security Assessment and Recommendations A report needs to be assessed for Aircraft Solutions. This report consists of a security assessment that exhibits all founding flaws in their system, as well as giving AS a report regarding their current infrastructure. Aircraft Solutions is a component fabrication and equipment company that delivers different architectural designs. One of their specialties is establishing communications and solutions to defense, commercial, aerospace industries. The employees at AS are fully qualified for the tasks they entail hence making their workforce more efficient and supplying outstanding service. The purpose of this assessment is to investigate the weaknesses that are presented in the operations of Aircraft Solutions (AS). While conducting this assessment, we will expose vulnerabilities; give an analysis of any relative threats, risks that will be addressed and a comprehensive analysis of the relative threats and consequences pertaining to this mission. Assessment and Investigation After carefully examining the three sections pertaining to Aircraft Solutions, we found that policy and hardware related issues require special attention. We found that Aircraft Solutions does not utilize any firewall between the commercial division and the Internet Gateway. In fact, we exhibited that the Department Defense routes...

Words: 907 - Pages: 4

Free Essay

Security Assessment and Recommendations for Aircraft Solutions

...Security Assessment and Recommendations for Aircraft Solutions Principles of Information Security and Privacy Keller Submitted: December 11, 2013 Executive Summary The purpose of this report is to investigate the vulnerabilities of Aircraft Solutions (AS) in the areas of hardware and policy. Furthermore, it provides recommended solutions to the security weaknesses mentioned in Phase 1. Aircraft Solutions is a well known leader in the design and production of component products and services for companies ranging from commercial industry to the aerospace industry. In addition, Aircraft Solutions maintains a large capacity plant filled with an extensive variety of equipment, which is mostly automated alongside skilled specialists in a range of fields to ensure they meet their customers’ needs. The weaknesses that are being addressed are hardware and policy. Company Overview Aircraft Solutions is a leader in the planning and production of component products and services for companies in the electronics, commercial, defense, and aerospace industry. The headquarters of Aircraft Solutions is located in San Diego, California. The goal of Aircraft Solutions is to use machined products and related services to supply customer success, and to achieve cost, quality, and schedule requisites. They have a Defense Division (DD) of Aircraft Solutions located in Orange County, California and a Commercial Division (CD) located in San Diego County, California. Aircraft...

Words: 1560 - Pages: 7

Premium Essay

Weaknesses Assignment Phase Ii- Security Assessment and Recommendations

...Running head: Security Assessment and Recommendations Week 6: Weaknesses Assignment Phase II- Security Assessment and Recommendations SE571 Principles of Information Security and Privacy Introduction Aircraft Solutions (AS) is a renowned equipment and component fabrication company with the capability to provide full range designs and implantation solutions to different sectors such as defense, aerospace, commercial and electronics industries. This paper discusses the possible recommendations based on the security assessment conducted in Phase 1, and proposes possible changes in order to ensure the safety of AS networks. The Company owns an enormous production plan which promises to deliver high quality solutions for targeted at various industries. It is equipped with a team of excellent and highly qualified professionals who cater to various needs of different industries. This paper intends to find possible solutions to bridge the gaps as found in the investigation in Phase 1. The weaknesses that are being addressed are the firewall configuration, virtualization of their hardware assets and defining and revisiting their security policy regarding firewall configuration and updated software at least twice a year. Brief overview of the Vulnerabilities in AS After a thorough investigation of the IT architecture and systems of the Aircraft Solutions, two main concerns were identified as the priority items that needed attention. The first was hardware related concern and was...

Words: 1692 - Pages: 7

Premium Essay

Seurity Assessment Report

... Security Assessment Report November 7, 2015 Report Prepared by: {YOUR NAME}, {YOUR CREDENTIALS} {YOUR EMAIL ADDRESS} {YOUR PHONE NUMBER} {YOUR ORGANIZATION} {YOUR MAILING ADDRESS} Executive Summary 5 Top-Ten List 5 1. Information Security Policy 5 2. {Security Issue #2} 5 3. {Security Issue #3} 5 4. {Security Issue #4} 5 5. {Security Issue #5} 5 6. {Security Issue #6} 6 7. {Security Issue #7} 6 8. {Security Issue #8} 6 9. {Security Issue #9} 6 10. {Security Issue #10} 6 Introduction 7 Scope 7 Project Scope 7 In Scope 7 Out of Scope 7 Site Activities Schedule 7 First Day 7 Second Day 7 Third Day 7 Background Information 8 {CLIENT ORGANIZATION} 8 Asset Identification 9 Assets of the {CLIENT ORGANIZATION} 9 Threat Assessment 9 Threats to the {CLIENT ORGANIZATION} 9 Laws, Regulations and Policy 10 Federal Law and Regulation 10 {CLIENT ORGANIZATION} Policy 10 Vulnerabilities 10 The {CLIENT ORGANIZATION} has no information security policy 10 {State the Vulnerability} 10 Personnel 11 Management 11 Operations 11 Development 11 Vulnerabilities 11 There is no information security officer 11 {State the Vulnerability} 11 Network Security 12 Vulnerabilities 12 The {CLIENT ORGANIZATION} systems are not protected by a network firewall 12 {State the Vulnerability} 13 System Security 13 ...

Words: 3242 - Pages: 13

Free Essay

Secuiirty

...Running head: SECURITY ASSESSMENT AND RECOMMENDATIONS Security Assessment and Recommendations for Quality Web Design Mike Mateja October 9, 2011 Submitted to: Dean Farwood SE571 Principles of Information Security and Privacy Keller Graduate School of Management 1 SECURITY ASSESSMENT AND RECOMMENDATIONS 2 Table of Contents Executive Summary ............................................................................................ 3 Company Overview............................................................................................. 4 Security Vulnerabilities ....................................................................................... 4 Hardware Vulnerability: Unrestrained Components .................................................................. 4 Software Vulnerability: Unsecure Wireless Access Points .......................................................... 6 Recommended Security Solutions ....................................................................... 7 Hardware Solution: Physical Restraints ...................................................................................... 7 Impact: Hardware Solution ..................................................................................................... 8 Budget: Hardware Solution ..................................................................................................... 9 Software Solution: Configuring the Wireless access points for security ............

Words: 2829 - Pages: 12

Premium Essay

Risk Assesment Plan

...cost, and schedule of the overall project and develop an action plan that handles individual risk. RISK PLAN OBJECTIVES The scope of this risk assessment assessed the system’s use of resources and controls (implemented or planned) to eliminate and/or manage vulnerabilities exploitable by threats internal and external to the Project. If exploited, these vulnerabilities could result in: • Unauthorized disclosure of data • Unauthorized modification to the system, its data, or both • Denial of service, access to data, or both to authorized users This Risk Assessment Report evaluates the confidentiality (protection from unauthorized disclosure of system and data information), integrity (protection from improper modification of information), and availability (loss of system access) of the system. Recommended security safeguards will allow management to make decisions about security-related initiatives. PROJECT RISKS This risk assessment methodology and approach was conducted using the guidelines in NIST SP 800-30, Risk Management Guide for Information Technology Systems. The assessment is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity, and availability. The assessment recommends appropriate security safeguards, permitting management to make knowledge-based decisions about security-related initiatives. The methodology addresses the following types of controls: • Management Controls: Management of the...

Words: 1565 - Pages: 7

Premium Essay

It Apradise

...complete? Where is it located?If not done, what are the recommendations for completing? Where should the results be saved? |External documents needed for task| RMF Step 1: Categorize Information Systems| 1.1Security CategorizationUsing either FIPS 199 or CNSS 1253, categorize the information system. The completed categorization should be included in the security plan.|Not done|As highlighted in the risk assessment, there is no security plan done (p.18). Add the security categorization information to the security plan.The security categorization that was completed in the risk assessment can be included in the security plan. The full categorization can be found on pp. 14-16. The categorization done in the risk analysis is based on FIPS 199.|FIPS 199 for nonnational security systems, CNSS 1253 for national security systems| 1.2Information System DescriptionIs a description of the information system included in the security plan?|||| 1.3Information System RegistrationIdentify offices that the information system should be registered with. These can be organizational or management offices.|||| RMF Step 2: Select Security Controls| 2.1Common Control IdentificationDescribe common security controls in place in the organization. Are the controls included in the security plan? |||| 2.2Security Control SelectionAre selected security controls for the information system documented in the security plan?|||| 2.3Monitoring StrategyWhat security control monitoring strategies should be used to protect...

Words: 540 - Pages: 3

Premium Essay

Business Impact Analysis and Risk Assessment for Information Resources

... Business Impact Analysis and Risk Assessment for Information Resources General Information & Process Description Introduction The IT Security and Policies area within Information Technology Services is responsible for establishing policies to ensure that Iowa State University has a secure information technology environment. This document defines a process for departments to perform a business impact analysis and risk assessment for their information resources. Once an assessment has been done, the resulting documents should be maintained and regularly reviewed by the department. By using the business impact analysis and risk assessment tool defined in this document, departments have the capability to identify and respond to risks for their systems and information resources. Departments are encouraged to contact the Information Technology Security and Policies area at 4-2588 if they have specific questions or if they would like to arrange a meeting to discuss the process on an individual basis. Business Impact Analysis and Risk Assessment Guaranteed absolute security in today’s information technology environments is not realistic. However, it is important to have a process of identifying resources and associated risks, determining their magnitude, and identifying what safeguards are needed. That process is what we are referring to as business impact analysis and risk assessment. It is the department’s responsibility...

Words: 3038 - Pages: 13

Premium Essay

Risk Management

...RISK ASSESSMENT REPORT Template Information Technology Risk Assessment For Risk Assessment Annual Document Review History The Risk Assessment is reviewed, at least annually, and the date and reviewer recorded on the table below. | Review Date |Reviewer | | | | | | | | | | Table of Contents 1 INTRODUCTION 1 2 IT SYSTEM CHARACTERIZATION 2 3 RISK IDENTIFICATION 6 4 CONTROL ANALYSIS 8 5 RISK LIKELIHOOD DETERMINATION 11 6 IMPACT ANALYSIS 13 7 RISK DETERMINATION 15 8 RECOMMENDATIONS 17 9 RESULTS DOCUMENTATION 18 LIST OF EXHIBITS Exhibit 1: Risk Assessment Matrix 18 List of Figures Figure 1 – IT System Boundary Diagram 4 Figure 2 – Information Flow Diagram 5 List of Tables Table A: Risk Classifications 1 Table B: IT System Inventory and Definition 2 Table C: Threats Identified 4 Table D: Vulnerabilities, Threats, and Risks 5 Table E: Security Controls...

Words: 1518 - Pages: 7

Premium Essay

Cloud Computing and Risk Accessment

...Computing Benefits, risks and recommendations for information security Rev.B – December 2012 2 Cloud Computing Benefits, risks and recommendations for information security Document History Date December 2009 Version 1.0 Modification Initial Release, Rev.A Author Daniele Catteddu, Giles Hogben Thomas Haeberlen Lionel Dupré December 2012 2.0 Rev.B About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact details This report has been edited by: Lionel Dupré, Thomas Haeberlen For contacting ENISA or for general enquiries about this report, please use the following details: Email: resilience@enisa.europa.eu Internet: http://www.enisa.europa.eu Cloud Computing 3 Benefits, risks and recommendations for information security Legal notice Notice must...

Words: 12166 - Pages: 49

Premium Essay

Business Continuity and Disaster Recoery

...Audit of Business Continuity Planning (BCP) Final Audit Report Audit and Evaluation Branch June 2006 Tabled and approved by DAEC on January 9, 2007 Audit of Business Continuity Planning (BCP) Industry Canada (IC) TABLE OF CONTENTS 1.0 EXECUTIVE SUMMARY .............................................................................................. 2 1.1 INTRODUCTION ................................................................................................................ 2 1.2 OVERALL ASSESSMENT.................................................................................................... 2 1.3 MAIN FINDINGS, CONCLUSIONS AND RECOMMENDATIONS ............................................. 2 1.3.1 Business Continuity Plan Governance (See Section 3.1 of the BCP Standard) ......... 2 1.3.2 Business Impact Analysis (See Section 3.2 of the BCP Standard).............................. 3 1.3.3 Business Continuity Action Plans and Arrangements (See Section 3.3) .................... 4 1.3.4 BCP Program Readiness (See Section 3.4 of the BCP Standard) .............................. 5 1.3.5 BCP Training and Awareness (See Section 3.4 of the BCP Standard) ...................... 5 2.0 INTRODUCTION............................................................................................................. 7 2.1 BACKGROUND .................................................................................................................. 7 2...

Words: 5659 - Pages: 23

Free Essay

Test One

...INSIDER THREATS DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems Highlights of GAO-15-544, a report to congressional committees. Why GAO Did This Study What GAO Found Since 2010, the United States has suffered grave damage to national security and an increased risk to the lives of U.S. personnel due to unauthorized disclosures of classified information by individuals with authorized access to defense information systems. Congress and the President have issued requirements for structural reforms and a new program to address insider threats. The Department of Defense (DOD) components GAO selected for review have begun implementing insider-threat programs that incorporate the six minimum standards called for in Executive Order 13587 to protect classified information and systems. For example, the components have begun to provide insider-threat awareness training to all personnel with security clearances. In addition, the components have incorporated some of the actions associated with a framework of key elements that GAO developed from a White House report, an executive order, DOD guidance and reports, national security systems guidance, and leading practices recommended by the National Insider Threat Task Force. However, the components have not consistently incorporated all recommended key elements. For example, three of the six components have developed a baseline of normal activity—a key element that...

Words: 17616 - Pages: 71

Premium Essay

School Security

...Volha Yarmolina Nancy Riccio, CSRM 2/29/2016 Area Vice President, Public Entity School Security On July 15, 2015 the New Jersey Legislature approved the final report of the School Security Task Force which the purpose of the Task Force was to study and develop recommendations to improve school security and safety and to ensure a safe learning environment for students and school employees. This report and its recommendations will guide all New Jersey Public Schools with improving security, physical and cyber. The Task Force was charged with the identifying physical and cyber vulnerabilities and potential breaches of security in New Jersey’s public schools. Afterwards their research they were to make recommendations to improve school safety and security. The Task Force’s charge was to study a number of issues including, but not limited to, the following: 1. Placing screening systems at school entrances; 2. Stationing police officers in each school building; 3. Improving response times to emergency situations, including lockdowns, active shooter incidents, and bomb threats; 4. Requiring advanced student and visitor identification cards; 5. Using biometric, retina, and other advanced recognition systems for authorized entrance into school buildings; 6. Installing panic...

Words: 1516 - Pages: 7

Premium Essay

Risk Assessement Plan

...Risk Assessment Plan | IS3110 | | | 11/7/2013 | [Type the abstract of the document here. The abstract is typically a short summary of the contents of the document. Type the abstract of the document here. The abstract is typically a short summary of the contents of the document.] | Risk Assessment Plan A.) Identify key personnel- Involved personnel are CEO, CRO, and CITO. B.) Identify assets – Determined assets are hardware, software, systems, and data. C.) Identify threats- This will identify threats that are a potential danger to data, hardware, and systems D.) Identify vulnerabilities- The process to identify is by implementing and assessment and once identified a penetration test will be implemented E.) Identify and evaluate countermeasures- Identified risks will be counter measured to reduce the risk. F.) Assess threats vulnerabilities, and exploits- Test will be implemented to reduce the threat and help identify the problem. G.) Evaluate risks- The counter measure will be implemented to reduce the impact of the threat. H.) Develop recommendations to mitigate risks- Data taken will be used to reduce the threat and evaluate it. I.) Present recommendations to management- Threats and vulnerabilities and the risk that impacts will be presented. Key Personnel The personnel involved in making the key decisions will be the CEO, CRO, and CITO. No other personnel other than the above mention will play in a role in any of the...

Words: 695 - Pages: 3