Question

Scenario:

            Startup company established on 01/01/20XX has 12 people personnel of which one executive director, one CIO one manager of software one manager of hardware one CFO and 5 engineers and one secretary, which plays role of public relations as well apart from day to day data management duties.

            The company develops hardware and software for resolvers which sells on larger companies. Some of the contracts include the company to be supplier of a larger company which has government contracts.

            The company exploits one central server with 100 nodes, shared storage, shared data space similar to DropBox, shared scanner and 10 printers.

            All workstations were placed in cubicles in main room and the secretary desk and workstation along with 2 printers was set up at main entrance hallway.

Q1. On March 10/20XX the new server was delivered and mangers along with CIO and executive director made a meeting to establish a policy of use of the resource. It was decided that:

• All engineers’ personnel and CIO will have access to all files 365/24 remotely and from their office workstations.
• The CFO will have access only to data dealing with matherials for current month.
• The Executive director will have access only to CIO reports and CFO reports but not data on projects.
• Secretary will have all access to all documents and data all the time.

Do you think this set up have security risks? Describe these risks if any and propose a better solution and describe why your solution is better.   

Answer 1

Question: Startup company established on 01/01/20XX has 12 people
1. 1 Executive Director
2 1 CIO
3. 1 Manager s/w
4. 1 Manager h/w
5. 1 CFO
6. 5 Engineers
7. 1 Secretary [Public relations + Day to day Data]

Company exploits "Central Server" ->100 Nodes, shared storage, shared data space, shared scanner and 10 printers.
Decision on usage:
1. All engineers personnel and CIO will have access to all files 365/24 remotely and from their office workstations.
2. CFO will have access only to data dealing with materials for current month.
3. The Executive director will have access only to CIO reports and CFO reports but not data on projects.
4. Secretary will have all access to all documents and data all the time.

Answer

The new solutions and modifications(for proposed) solutions are discussed below.

Some initial thoughts.
Not Every data is required for Everyone. This statement implies a general perception as well as concern. Perception as in every job has different descriptions and complexities. CFO will not be directly involved with Hardware Manager.
If each file is available to every member then there is a risk of that information getting misused somewhere down the line. Better keep it safe. This part is related to concern of data being available to everyone.

1. [PROPOSED] All engineers personnel and CIO will have access to all files 365/24 remotely and from their office workstations.
[UPDATED] Executive director only will have access to all files 365/24 remotely and from their workstations.
[UPDATED] CIO will have access to all files 365/24 from their workstations.
Engineers are concerned with technological aspect of softwares and hardwares, not with all the data that company is processing within a day. Techincal aspects as in if software is working

properly across devices, networks etc. On the other hand, CIO is concerned with all the information that is transacted stored and sent in a day. He/she has to analyze that data and make further

decisions on that.

2. [PROPOSED] CFO will have access only to data dealing with materials for current month.
[UPDATED] CFO will have access to all files 365/24 from their workstations.
They are concerned with the financial, budgeting and planning for the organizations. They might need data which will help them take better decisions and their area should be increased as to take

more informed decisions about financial aspects.

3. [PROPOSED] The Executive director will have access only to CIO reports and CFO reports but not data on projects.
[UPDATED] Executive director only will have access to all files 365/24 remotely and from their workstations.
Being at the top, he/she should have all the access all the time.

4. [PROPOSED] Secretary will have all access to all documents and data all the time.
[UPDATED] Secretary will have all access to all documents in scope all the time.
Again, this job is concern with a specific data required on daily basis only.

Going further, suggestions/new proposals.
1. All Employees are granted access only after entering valid credentials.
2. Business emails are not allowed outside of company network except for Executive Director.
3. NO outside mails from any server except authentic servers.

PFB an image to suggest more specific in detail.