In: Computer Science
Scenario:
Startup company established on 01/01/20XX has 12 people personnel of which one executive director, one CIO one manager of software one manager of hardware one CFO and 5 engineers and one secretary, which plays role of public relations as well apart from day to day data management duties.
The company develops hardware and software for resolvers which sells on larger companies. Some of the contracts include the company to be supplier of a larger company which has government contracts.
The company exploits one central server with 100 nodes, shared storage, shared data space similar to DropBox, shared scanner and 10 printers.
All workstations were placed in cubicles in main room and the secretary desk and workstation along with 2 printers was set up at main entrance hallway.
Q1. On March 10/20XX the new server was delivered and mangers along with CIO and executive director made a meeting to establish a policy of use of the resource. It was decided that:
Do you think this set up have security risks? Describe these risks if any and propose a better solution and describe why your solution is better.
Question: Startup company established on 01/01/20XX has 12
people
1. 1 Executive Director
2 1 CIO
3. 1 Manager s/w
4. 1 Manager h/w
5. 1 CFO
6. 5 Engineers
7. 1 Secretary [Public relations + Day to day Data]
Company exploits "Central Server" ->100 Nodes, shared
storage, shared data space, shared scanner and 10 printers.
Decision on usage:
1. All engineers personnel and CIO will have access to all files
365/24 remotely and from their office workstations.
2. CFO will have access only to data dealing with materials for
current month.
3. The Executive director will have access only to CIO reports and
CFO reports but not data on projects.
4. Secretary will have all access to all documents and data all the
time.
Answer
The new solutions and modifications(for proposed) solutions are discussed below.
Some initial thoughts.
Not Every data is required for Everyone. This statement implies a
general perception as well as concern. Perception as in every job
has different descriptions and complexities. CFO will not be
directly involved with Hardware Manager.
If each file is available to every member then there is a risk of
that information getting misused somewhere down the line. Better
keep it safe. This part is related to concern of data being
available to everyone.
1. [PROPOSED] All engineers personnel and CIO
will have access to all files 365/24 remotely and from their office
workstations.
[UPDATED] Executive director only will have access
to all files 365/24 remotely and from their workstations.
[UPDATED] CIO will have access to all files 365/24
from their workstations.
Engineers are concerned with technological aspect of softwares and
hardwares, not with all the data that company is processing within
a day. Techincal aspects as in if software is working
properly across devices, networks etc. On the other hand, CIO is concerned with all the information that is transacted stored and sent in a day. He/she has to analyze that data and make further
decisions on that.
2. [PROPOSED] CFO will have access only to data
dealing with materials for current month.
[UPDATED] CFO will have access to all files 365/24 from
their workstations.
They are concerned with the financial, budgeting and planning for
the organizations. They might need data which will help them take
better decisions and their area should be increased as to take
more informed decisions about financial aspects.
3. [PROPOSED] The Executive director will have
access only to CIO reports and CFO reports but not data on
projects.
[UPDATED] Executive director only will have access to all
files 365/24 remotely and from their workstations.
Being at the top, he/she should have all the access all the
time.
4. [PROPOSED] Secretary will have all access to
all documents and data all the time.
[UPDATED] Secretary will have all access to all documents
in scope all the time.
Again, this job is concern with a specific data required on daily
basis only.
Going further, suggestions/new proposals.
1. All Employees are granted access only after entering valid
credentials.
2. Business emails are not allowed outside of company network
except for Executive Director.
3. NO outside mails from any server except authentic
servers.
PFB an image to suggest more specific in detail.