Question

In: Computer Science

About the organization: This fictional organization has a small, but growing, employee base, with 50 employees...

About the organization: This fictional organization has a small, but growing, employee base, with 50 employees in one small office. The company is an online retailer of the world's finest artisanal, hand-crafted widgets. They've hired you on as a security consultant to help bring their operations into better shape.

Organization requirements: As the security consultant, the company needs you to add security measures to the following systems:

An external website permitting users to browse and purchase widgets

An internal intranet website for employees to use

Secure remote access for engineering employees

Reasonable, basic firewall rules

Wireless coverage in the office

Reasonably secure configurations for laptops

Since this is a retail company that will be handling customer payment data, the organization would like to be extra cautious about privacy. They don't want customer information falling into the hands of an attacker due to malware infections or lost devices.

Engineers will require access to internal websites, along with remote, command line access to their workstations.

Step-By-Step Assignment Instructionsless

You’ll create a security infrastructure design document for a fictional organization. Your plan will be evaluated according to how well you met the organization's requirements. Points will be awarded based on how well you met these requirements, considering the security implications of your choices.

The following elements should be incorporated into your plan:

Authentication system

External website security

Internal website security

Remote access solution

Firewall and basic rules recommendations

Wireless security

VLAN configuration recommendations

Laptop security configuration

Application policy recommendations

Security and privacy policy recommendations

Intrusion detection or prevention for systems containing customer data

Solutions

Expert Solution

PURPOSE OF THE SECURITY INFRASTRUCTURE DESIGN DOCUMENT

Introduction

This document describes how the functional and nonfunctional requirements recorded in the Requirements Document and the preliminary user-oriented functional design based on the design specifications.

Furthermore, it describes the design goals in accordance with the requirements, by providing a high-level overview of the system architecture, and describes the data design associated with the system, as well as the human-machine scenarios in terms of interaction and operation. The high-level system design is further decomposed into low-level detailed design specifications including hardware, software, data storage and retrieval mechanisms and external interfaces.

Purpose of the Security Infrastructure Design Document

The Security Infrastructure Design Document helps to document and track the necessary information required to effectively define architecture and system design in order to give the guidance on the security architecture of the IT environment that is going to be established.

2. General Overview and Design Approach

2.1 General Overview

The client requires an IT infrastructure to perform their business activities that involve e-commerce applications and internal VPN access for their customers as well as employees with a high priority on the security and privacy of customer information and of the client’s as well

2.2 Assumptions/Constraints/Risks

Assumptions

It has been assumed that the employees are increased by 5% every year thereby reflecting the usage of the network bandwidth and increase of the devices that are connected to the enterprise network infrastructure.

Constraints

The following are the key considerations associated with the security of the infrastructure:

  • Authentication system
  • External website security
  • Internal website security
  • Remote access solution
  • Firewall and basic rules recommendations
  • Wireless security
  • VLAN configuration recommendations
  • Laptop security configuration
  • Application policy recommendations
  • Security and privacy policy recommendations
  • Intrusion detection or prevention for systems containing customer data

Risks

Since the infrastructure is meant to carry out the e-commerce related transactions that may involve third party merchant authorisations and financial related issues,a strict security mechanism needs to be enforced so as to ensure that there is no such issue related in customers transactions as it may affect the reputation of the organisation.

Additionally there should be a backup mechanism to take the data backups at regular intervals to deal with any unwanted situations like system failures,attacks by intruders etc.,

2.3 Alignment with Federal Enterprise Architecture

The proposed architecture strictly complies with federal Enterprise architecture, All the protocols being used and the hardware interfaces used compiles with the industry standards as specified so as to ensure compatibility of the networks as well as the security in compliance with CMS Enterprise Architecture (EA)

3. Design considerations

3.1 Goals:

The following are the desirable outcomes of the security infrastructure proposed to be implemented in the organisation:

  • An external website permitting users to browse and purchase widgets securely.
  • An internal intranet website similar to that of a VPN for employees to use
  • Secure remote access for engineering employees
  • Reasonable, basic firewall rules
  • Wireless coverage in the office
  • Reasonably secure configurations for laptops
  • Privacy of the user data

3.2 Architectural Strategies

For external website to perform purchase activity by customers:

In order to provide a secure e-commerce transactions the following are the primary which security goals include:

  • Protecting confidentiality of the data
  • Making sure that unauthorized persons or systems cannot access the information of users;
  • Making sure that the information accessed is genuine;
  • Making the data accessible and usable;
  • Logging the transactions for further reference and support activity
  • Verifying the authenticity of a person to perform a transaction.
  1. For intranet website accessed by employees:

Since the data is accessed by the company employees only it should be only available to company’s level of access making it private from other information being maintained on the infrastructure So,the following are the considerations in this case:

  • Making sure that the access is within their intranet by implementing a firewall mechanism
  • Specifying the authentication mechanism to access the website by the employees
  • Supervising the activities and user management on the website by an administrator
  1. Secure remote access for engineering employees

We can perform safe implementation of remote access control objectives based on the following security considerations:

Device type: What device types require remote access?

Role: What remote access is appropriate for that role given the device used?

Location. Is access from a public location, another company site, internal wireless, etc.?

Process and data: What processes and data are accessible given the first three access characteristics?

Authentication method: Does the need for strong authentication increase based on the device used, where it is used, and what it is allowed to access?

  1. Basic firewall rules to be implemented:

Block by default – to block all incoming and outgoing connections

Allow specific traffic – only allow specified ip addresses

Allow Inbound-only allowing intranet users

  1. Wireless coverage in the office

Can be provided with an 802.11 WLan adapter/router with PSK(pre-shared key) configuration or a login based limited access to company WiFi by the employees

Security considerations: Should be Password protected and metered

  1. V-LAN Configurration:

VLAN network segmentation creates security zones that enables flexible and strong control of what a remote user can access. security zones separating incoming traffic from internal resources. Using dynamic VLAN assignments and access control lists, we can control user access based on the conditions

  1. Laptop Security configuration:

One of the most vulnerable parts of the infrastructure is the laptop computers that employees use. These devices can be responsible for bringing in viruses or malware or causing the organization to lose sensitive data.This can be checked using the techniques such as:

  • Encrypting the disks on the laptops
  • Ensuring Antimalware/Antivirus are upto date in regula intervals
  • White listing the devices on the network
  • Running a product such as System Center Configuration Manager, LANDesk, Altiris, or some other systems management platform
  1. Application policy recommendations
  • Integrate secure coding principles in all software components of infrastructure.
  • Perform automated application security testing as part of the overall application testing process.
  • Development and testing environments should redact all sensitive data or use de-identified data.
  • Compliance with industry standard data policies and protocols
  1. Security and privacy policy recommendations

Explain How the organization Collects and Use Personal Information

  • Cookie Policy – Cookies are used to store user preferences or shopping cart contents. Clearly explain your cookie practice.
  • How organization will Share Customer Information – Customers need to know that their data will only be used to complete the transaction and that any further use of that data (including selling or distributing it) requires their consent.
  • Contact Information – Make it easy for your customers to contact you or file a complaint.

Display Privacy Policy Make sure new customers or users have easy access to your policy mandatorily

Publish Email Opt-Out Policies – Include opt-out options in your email marketing

Get a Seal of Approval – Third party validation of your online privacy and security policy can enhance your credibility.and trust of security

Intrusion detection or prevention for systems containing customer data

As the demand for E-Commerce grows on the Internet so will the increasing potential for E-Commerce sites to be attacked. Implementing security methodologies pertaining to an E-Commerce environment is not a simple thing .It should consider various threats and anomalies that can cause an attack .This can be achieved though penetration testing and reverse engineering to detect by signature or by an anomaly. This can be achieved by a third party IDS systems readily available in the market

Summary

Thus we can conclude the report of the security infrastructure of the organization has been assessed and recommendations were made as required for the proposed environment as specified

Key assets being protected:

Customer information,Company related information

Key threats to protect against :

Intrusion to website,Data Loss

Key activities to protect against:

Customer purchase of artifacts,payment transactions,employee data

Relative ranking of fundamental security goals :

This is an important exercise for every organization as part of the risk mitigation planning process. For this project, the ranking came out like this:

Confidentiality: high

Integrity: high

Availability: medium

Auditability: medium

Nonrepudiation: N/A


Related Solutions

Problem Description An organization has a number of buildings and employees. Every employee has an office...
Problem Description An organization has a number of buildings and employees. Every employee has an office in one of the buildings. The application will store the employees, the buildings, and the relationships between employees and buildings. Entity interface The Entity interface represents an employee or a building. Every object of type Entity has a single method, with the following characteristics. • Name: getName() • Returns the name of the entity (a String object) • No parameters Employee class This class...
It is common for an organization to have different categories of employees, such that one Employee...
It is common for an organization to have different categories of employees, such that one Employee class can not easily describe all types of Employees.In this project, you will code a basic Employee class, and then a number of classes which derive from the Employee class (inherit), adding Employee specifics. An application program which stores info for one company will have use objects of different types to model the all employees. Part I:   The Employee Class First create the Employee...
Mina, age 50, has a business with the following employees: Employee Date of Birth Employment Start...
Mina, age 50, has a business with the following employees: Employee Date of Birth Employment Start Date Compensation Ali 4/24/1985 6/30/2017 $56,000 Bob 6/25/1976 2/30/2010 $120,000 Cindy 3/15/1987 4/25/2008 $75,000 David 2/4/1997 7/14/17 $87,000 Edward 2/28/1993 10/14/2012 $47,000 Mina earns $450,000 and has for about 4 years. There is no retirement plan now and Mina would like to adopt one that will give her personally the most beneficial and cost the minimum amount for her employees. What plans should Mina...
Write a program in C to process weekly employee timecards for all employees of an organization...
Write a program in C to process weekly employee timecards for all employees of an organization (ask the user number of employees in the start of the program). Each employee will have three data items: an identification number, the hourly wage rate, and the number of hours worked during a given week.A tax amount of 3.625% of gross salary will be deducted. The program output should show the identification number and net pay. Display the total payroll and the average...
Theory Questions 1. The Kyrgios Database Group has about 120 employees. Each employee has an ID,...
Theory Questions 1. The Kyrgios Database Group has about 120 employees. Each employee has an ID, a firstname and a surname. Each employee belongs to a department. The organisation has around 6 departments. Each department has a department code and a departmentname. • Create an ERD solution based on the above narrative. ERD Diagram Question 2. The Tomic Primary School wishes to democratically choose which animal will become the school mascot. The list of alternatives includes Kangaroo, Koala, Tiger, Elephant,...
Write a program to process weekly employee time cards for all employees of an organization. Each...
Write a program to process weekly employee time cards for all employees of an organization. Each employee will have three data items: an identification number, the hourly wage rate, and the number of hours worked during a given week. Each employee is to be paid time and a half for all hours worked over 40. A tax amount of 3.625% of gross salary will be deducted. The program output should show the employee’s number and net pay. Display the total...
An important tactic for retaining employees is a good employee recognition program within the organization. Here...
An important tactic for retaining employees is a good employee recognition program within the organization. Here we what to examine how common they are in small (and large) businesses. With that in mind, you interview 376 of each kind. You find that 278 of the small organizations said they have an employee recognition program, while 316 of the large ones said they have an employee recognition program. We are trying to prove that larger organizations are more likely to have...
A small grassroots organization has been running a food pantry for about five years. They are...
A small grassroots organization has been running a food pantry for about five years. They are located in the community center of a local church. The church is its only major partner. They typically open about two days per week and provide food for local families that stop in. The hours of operation are a bit inconsistent. Most of their donations, of late, have come from the church. Sometimes, they collect hats, scarves and gloves to distribute during winter months....
A small insurance company with approximately 50 employees wants to hire an office manager. Technical insurance...
A small insurance company with approximately 50 employees wants to hire an office manager. Technical insurance knowledge is not required. The company is looking for someone with good organizational skills, managerial and supervisory skills, the ability to manage budgets and schedules, the ability to coordinate meetings, and excellent communication, interpersonal, and computer skills. Work experience is preferred. Analyze your knowledge and skills to determine if you have the qualifications to apply for this position. List your technical skills that are...
As the head of a small insurance company with six employees, you are concerned about how...
As the head of a small insurance company with six employees, you are concerned about how effectively your company is using its networking and human resources. Budgets are tight, and you are struggling to meet payrolls because employees are reporting many overtime hours. You do not believe that the employees have a sufficiently heavy work load to warrant working longer hours and are looking into the amount of time they spend on the Internet. Each employee uses a computer with...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT