Free Essay

Enterprise Security Plan

In: Computers and Technology

Submitted By tmgreyn
Words 1749
Pages 7
Enterprise Security Plan

Enterprise Security Plan
Smith Systems Consulting (SSC) is a major regional consulting company. Headquartered in Houston, Texas, the firm’s 350 employees provide information technology and business systems consulting to its clients in a wide variety of industries including manufacturing, transportation, retail, financial services and education. Smith Systems Consulting (SSC) is a service provider. It provides IT services for other companies. Security is essential for SSC because it not only requires security for itself, but SSC also has many customers depending on it to provide top level IT services, which also includes security.
Enterprise risks are a part of all business and how we address these risks determines how successful we are in the business world. Risks can be defined by “any exposure to the chance of injury or loss.” (Cheryl l. Dunn, 2005) Risks can be internal or they can come to us from outside sources in the form of external risks. Both types of risks pose a threat to the overall security of the enterprise. An Enterprise Security Plan (ESP) outlines possible risks by identifying the vulnerabilities within the business process and ranks the vulnerabilities for ease in developing a mitigation plan. The ESP also identifies technologies and policies that will help in the development of an operational plan that protects the business process and intellectual property of your corporation.
Within this ESP we have developed 3 different appendixes for the ease of review and to facilitate the corporate review. First Appendix will focus on the identifying vulnerabilities. The second appendix will indentify the vulnerabilities that will have posed the greatest threat and will also provide the logical justification matrix. The third appendix will address Enterprise Vulnerabilities. Within this appendix Smith Systems Consulting will discuss and make recommendations that will provide enterprise protection by identifying and by making recommendation to mitigate vulnerabilities that affect the following areas: Physical, System and Logical. This in-depth analysis will help provide recommendations for the necessary resources to protect your enterprise.
Appendix 1 The team will be looking at many security issues addressed at the company. There were many ideas for topics to address when it comes to risks that are possible for an Enterprise environment. Some of the ideas included data loss, insider threat, outsider threat, and un-patched or updated vulnerabilities that might hinder SSC. It is understood by the team that all of the identified risks are significant. Insider threat is when internal users of the system cause damage to the system. It is more likely the damage is inadvertently caused. The probability of malicious insider threat is not as great, but it is definitely a possible threat. Certain steps must be taken to help prevent the malicious insider threat and inadvertent insider threat. The specific steps can be focused on in the project.
Another threat discussed by the team is the threat of un-patched systems. Research must be conducted to see if there is a vulnerability management process in place for SSC or any of the companies it provides IT services to. If there are no vulnerability management plans or processes, SSC must create one. Vulnerabilities left unchecked can cause system issues, including intrusions by unauthorized persons.
SSC will need to create a strong security policy plan and will need to hire some internal security professionals to help them setup roles and create security profile to resolve some of the issues discussed.
Appendix 2
Risk and vulnerabilities matrix Risk and vulnerability strategies are important to a growing business. In order to evaluate the infrastructure of organizations you would want to do a good threat assessment and other to determine if the outcome is in the best interest of the company. Threats to an organization can include natural, criminal, terrorist, and accidental to name a few. A good threat assessment determines that likelihood of a threat occurring.
In this assignment Team A determined the risks and vulnerabilities of our virtual organization – Smith Consulting. We then designed a matrix and ranked the risks and vulnerabilities. We then added a comments field to the matrix so that we could describe the possible outcomes for each of the vulnerabilities.
We categorized our rankings as: * High probability/high impact * High probability/medium impact * High probability/low impact * Medium probability/high impact * Medium probability/medium impact * Medium probability/low impact * Low probability/high impact * Low probability/medium impact

Appendix 3
Enterprise vulnerabilities Smith Systems Consulting (SSC) recommends and installs premium support services such as network installs, email server installs and upgrades, and database design and development. Though not on their website, SSC is security conscious with the technologies that are available for businesses, and the technologies that they recommend to their customers. One area of security that SSC thrives in is that of vulnerability assessments. This involves evaluating a customer’s current vulnerabilities, as well as vulnerabilities that may arise from the installation of new technologies, if not installed correctly. The vulnerability areas focused on are: physical, system, and logical.
Physical
Vulnerabilities in the physical sense are not so much referring to things such as access to a building or server room or damage to networking equipment (though these things should be considered by IT staff). A DoS (Denial of Service) or DDoS (Distributed Denial of Service) attack would be considered a physical attack because it causes physical problems with a server, i.e. over working a server to the point of extreme slowness or failure. DoS and DDoS attacks occur when an attacker (hackers) sends a large amount of packets to a particular server (often web servers), causing all of the bandwidth to be taken up and all of the server’s resources to handle and process the packets. The end result for valid visitors of the site is slowness bringing up the site, or the website not coming up at all. Though DoS attacks can be very service affecting, there are ways to combat against them. Having a good quality firewall in place that scans packets as they come in, and denies DoS attacks is a start. Having an IPS (intrusion prevention system) is an even better way to prevent these types of attacks, because an IPS device is usually much smarter than a firewall and also has the ability to scan incoming packets for a multitude of other problems. Dos and DDoS can also occur on client machines as well. To protect against this, it is important to have high quality and updated antivirus / spyware removal software on the machines, as well as all current updates for the operating system. All of these steps does not guarantee that DoS attacks won’t occur (hackers are always coming up with new ways to lead these attacks), but it greatly reduces the chances that it will happen.
System vulnerabilities System vulnerabilities are another area where many businesses suffer. In particular, email servers can cause a lot of issues for companies if not setup correctly. If an email server is setup by someone that does not know best practices for installing email servers, often the server is abused by hackers, who use the server as an SMTP relay server. Basically, your organization’s email server is now used to relay emails from someone outside your organization to hundreds, maybe even thousands of people, commonly referred to as SPAM. This problem could be prevented by turning off the relay option on a server. An email server can be the lifeblood of a company, due to the important nature of email and the constant use during the day. If proper backup and restore procedures are not in place, an organization could be crippled if their email server goes down. Again, having someone that knows the proper procedures can save a lot of time and lost productivity for a company. With an example of using Microsoft Exchange as an email server, the organization using it most likely will not be using the IMAP and POP3 protocols that are running by default. By disabling these protocols, the server becomes less penetrable from outside hackers. If the protocols are left running, it creates unnecessary open doors for hackers to access. Insider threats can also be an issue when it comes to email. Employees could be sending out insider secrets through the email server, and the organization may never know it. Installing a security appliance that monitors outgoing email will help in removing this risk. Last, email servers can emails from all sorts of sources, including many that are unwanted. Virus, malware, and spyware can be contained in emails on the server. Configuring antivirus software to know what files to scan to prevent viruses from spreading, while not scanning other areas that could potentially corrupt the email server database is also a crucial step when configuring Exchange. Bottom line, setting up an email server should be done by someone that knows the intricacies of the software.
Logical vulnerabilities Logical vulnerabilities point in the direction of things like installed software, operating systems, etc. Problems like virus protection on client and server computers can be included in this. Not configuring the antivirus software correctly or worse not having antivirus software installed at all can cause major problems on a network. Network slowness, erratic behavior on servers or clients, and pop-ups are some of the signs that one or more systems may be infected with a virus. Another common area that gets overlooked is that of keeping up on software and operating system updates and patches. Though it is an easy and quick procedure to run updates for a system, often the steps are overlooked due to bigger IT problems that need to be taken care of. Holding off on updating software may not cause problems initially, but in the long run can cripple organizational functionality. Some companies will hold off on running updates and patches because of fear that it will take down systems due to a bad patch. This can be mitigated in several ways. First would be to have client machines with similar hardware and software configurations, so that tests can be run on a similar system first, before applying changes to production computers. Second would be to install something like a Windows Systems Update Server. This server downloads all Microsoft Updates to itself, and then pushes the updates out only when an administrator gives the go ahead. This allows administrators to keep the updates for a week or so to make sure that no complaints arise on the Internet, regarding those updates.…...

Similar Documents

Premium Essay

Security Plan

...1.0 Overview This remote access policy defines standards for connecting to the organizational network and security standards for computers that are allowed to connect to the organizational network. It also specifies how remote users can connect to the main organizational network and the requirements for each of their systems before they are allowed to connect. The remote access policy defines the method users can use to connect remotely such as VPN. It will specify when using the VPN, the VPN protocols used will be defined. Methods to deal with attacks should be considered in the design of the VPN system. 2.0 Purpose The purpose of this policy is to define standards for connecting to remote offices located in Atlanta, San Francisco, Chicago, and Dallas. These standards are designed to minimize the potential exposure to the remote offices from damages which may result from unauthorized use of resources. Damages include the loss of sensitive or confidential data, intellectual property, damage to public image, damage to critical internal systems, etc. 3.0 Approval Any remote access using VPN or any other remote access to the organizational network must be reviewed and approved by the appropriate supervisor. All employees by default will have account settings set to deny remote access. Only upon approval will the account settings be changed to allow remote access. 4.0 Remote Computer Requirements 1. An anti-virus product is required to be operating on the computer......

Words: 507 - Pages: 3

Free Essay

Security Plan

...ensures that only those with the rights and privileges to access information are able to do so. When unauthorized individuals or systems can view information, confidentiality is breached.” (http://arapaho.nsuok.edu/~hutchisd/IS_4853/C6572_01.pdf) “In an organization, the value of confidentiality of information is especially high when it involves personal information about employees, customers, or patients. Individuals who deal with an organization expect that their personal information will remain confidential, whether the organization is a federal agency, such as the Internal Revenue Service, or a business.” ((http://arapaho.nsuok.edu/~hutchisd/IS_4853/C6572_01.pdf.) This is a concept true in the Army there are two different levels of security clearances for everyone. There is the secret and the top secret each requires a vigorous investigation into a person’s past to make sure they should have the level of clearance they are requesting. If a person doesn’t have at least a secret clearance they are not allowed to access the SIPRnet, which is the Secret Internet Protocol Router Network. This network protocol holds all of the units secure data and can only be accessed by personnel with the proper clearance. Integrity “Information has integrity when it is whole, complete, and uncorrupted.” (http://arapaho.nsuok.edu/~hutchisd/IS_4853/C6572_01.pdf.) “The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other......

Words: 889 - Pages: 4

Premium Essay

Security Plan

...members. “In most countries, candidates for the police force must have completed some formal education. Many police forces around the world have now developed a program where selectees with university degrees spend two to three years as a Constable before receiving promotion to higher ranks, such as Sergeants or Inspectors” (Cole & Smith, 2004). Police officers are also recruited from those with experience in the military or security services. In the United States state laws determine qualification standards regarding age, education, criminal record, and training, however some requirements may be mandated by local police agencies. VCPD’s organization and management, although functional, lacks the structure and diversity needed to facilitate and grow as a police department. The organizational strategy for an effective police department operates in three areas. 1. Strategic—the organization's overriding philosophy 2. Tactical—that philosophy in action 3. Personal—the philosophy manifested in the behavior of each officer. The organizational plan gives the officer permission to do what they do best, resulting in their courage and confidence to act.VCPD’s management should have a systems approach, a process where “each organizational area works together to process information in a logical manner for rational decision making to achieve desired result" (Neocleous, 2004). According to Moore & Stephens, in order to support the systems approach, the police department......

Words: 1902 - Pages: 8

Free Essay

Enterprise Security Services

...SECTION ONE INTRODUCTION BACKGROUND OF STUDY In years past, when enterprises were starting, it suffered data lose and information retrieval was difficult since there was no strong security service to protect already gathered information. Production, distribution and some other functions were very difficult to achieve due to weak security services but as the days passed by enterprise has struggled to secure its services and with the aid of growth in technology and programming enterprise services has reached a reasonable degree in achieving its dream by protecting its services from harm. An enterprise is an activity or a project that produces services or products. There are essentially two types of enterprise, business and social enterprises. Business enterprises are run to make profit for a private individual or group of individuals. This includes small business while social enterprise functions to provide services to individuals and groups in the community. These shows that an enterprise security service is a form of protecting the services or the product of individuals and groups in the community from harm (preventing unauthorized users from gaining access). Enterprise now uses Biometric, Encryption and some others forms of security to form the backbone of its services. The term "biometrics" is derived from the Greek words bio (life) and metric (to measure). Biometrics refers to the automatic identification of a person based......

Words: 4428 - Pages: 18

Premium Essay

Security Plan

...Security plan The security plan is based on the fact that the institution is working on a stringent and anything expensive would be unfair and might seem unreasonable. The security plan is as a result of the increasing population at the institution. Its also facilitated by the fact that Physical plant intrusion eg burglary A watch tower should be raised above the MPSETC this will ensure that everything around the institution can be seen well. The street lighting should also be raised with the lighting focusing around the whole institution. Plant intrusion can most likely happen at night and that is why it is important to make sure that the education and training center is well lit and guarded at night. Mpsetc ought to employ more security officers to watch over this area from the proposed towers. Doing this will also be very cheap as it does not require any complex resources. Property damage interior and exterior eg vandalism and theft Personal security eg assault, personal property loss/damage The top priority of the Maryland Department of Public Safety and Correctional Services is to ensure the safety of our staff and the incarcerated offenders in our care. That we have been able to drive down department-wide serious assaults on our correctional officers by 60 percent since FY 2007 is evidence of that, as is the 53 percent drop in inmate serious assaults during that time. We've lowered total assaults on staff by 34 percent at North Branch Correctional Institution......

Words: 550 - Pages: 3

Premium Essay

Enterprise Security Plan Cmgt/430

...Enterprise Security Plan CMGT/430 Enterprise Security Plan This Enterprise Security Plan (ESP) for Riordan Manufacturing employees the levels of security required to protect the network and resources utilized to communicate. It is intended purpose is to formulate a means to counterattack against security risk from potential threat. The ESP servers as a way to identify risks and to ensure a contingency plan is in place to protect the availability, integrity, and confidentiality of the Riordan organization's information technology (IT) system. The ESP benefits all employees however it is most beneficial to information resource managers, computer security officials, and administrators as it is a good tool to use for establishing computer security policies. The ESP in its basic form is a systematic approach to addressing the company’s network, its capability, the threats it is susceptible to and a mitigation strategy that addresses those threats if and should they occur. In addition to addressing the threats the ESP will also make provisions for establishing contingency plans in case of a disaster. The information covered by this plan includes all information systems, IT resources, and networks throughout the Riordan global organization owned or operated by employees in the performance of their job duties, whether written, oral, or electronic. Further it establishes an effective set of security policies and controls required to identify and mitigate vulnerabilities......

Words: 2085 - Pages: 9

Premium Essay

Disaster Recovery Plan / Enterprise Continuity Plan

...DRP / ECP Disaster Recovery Plan Enterprise Continuity Plan This presentation will explore the different parts and pieces necessary for a successful Disaster Recovery Plan / Enterprise Continuity Plan. More specifically, this presentation will provide information needed to garner and bolster support for such a plan from the university’s executive team. A well prepared, maintained and rehearsed recovery and/or continuity plan should have the ability to keep the university up and running throughout any type of disruptive event. DRP/ECP Team Members & Roles ● ● ● ● ● ● ● ● ● ● Crisis Management Team Administrative Support Team Damage Assessment Team Recovery Coordination Team Corporate Communications Team Human Resources Support Team Site Restoration Team Transportation Support Team System Restoration Team Voice Recovery Team and End-User Tech Support Team The Crisis Management Team should be a cohort of upper level management that will be responsible for all significant decision making in response to the current event. Only specific members of the Crisis Management team should be authorized to declare an emergency and decide on the appropriate action. Key responsibilities of this group include: analyzation of preliminary reports, disaster declaration, determination of appropriate response, activation of contingency plans and notification of team leaders (Hiles, 2010). The Administrative Support Team includes representatives from all major departments who can provide...

Words: 2423 - Pages: 10

Free Essay

Business Plan for a Social Enterprise

...objectives (MBO), that is all employees are having chance to give out suggestions. The revised objects or alternatives will be implemented in the next month to see if it is success. Once the new alternatives are operate successfully, the one who raise will be given a reward in form of bounce money. By use the method of Management by objective (MBO), the performance of the employees will increase and the productivity and the café will increase also, this is an win-win way for both employees and the café. Anticipated problems As we are setting up a café which is only for students, they may not willing to spend too much on finding a place for studying. However, charges cannot be too low since we still need to maintain our business. Therefore, we plan to charge them hourly. Besides paying for the beverage charge, $5 per hour will be charged for each of them. Secondly, the mission of our café is to promote positive attitude towards study. We hope that students can have a place for them to study and discuss academic problems with other people. However, there is an opportunity for us to have some students who may disturb other students for studying. In order to avoid this kind of problem, we decide that our café will be run on a membership scheme which means all students must be our free members in order to enjoy our café facilities. Having students’ information registered, we can recognize who are the disturbing ones. Thirdly, about the noise control problem, we can separate......

Words: 2173 - Pages: 9

Premium Essay

Security Plan

...Your Company Security Plan for Unclassified Data Version 1.3 March 20, 2012 Developed By: Your Committee Committee Your Company Important Disclaimer: The Aerospace Industries Association of America, Inc. (“AIA”) has no intellectual property or other interest in this Aerospace Industry Guideline for Developing a Security Plan for Unclassified Data. By developing this Aerospace Industry Guideline for Developing a Security Plan for Unclassified Data Plan and making it freely available to anyone, AIA assumes no responsibility for this Guideline’s content or use, and disclaims any potential liability associated therewith. Executive Overview From time to time an AIA member company may be requested to provide the DOD, a prime contractor or an industry partner an Information Technology Security Plan for unclassified data. This security plan could be required at the enterprise, program or application level depending on the unique requirements of the request. This request might be challenging for those members that have never been required to provide such a document. This “Aerospace Industry Guideline for Developing a Security Plan for Unclassified Data” provides a template and guidance to assist member companies in the development of a security plan to meet their customers or partners needs. Please keep in mind that this document is provided as a guideline and not a mandatory standard. AII member companies are encouraged to use this guideline.......

Words: 2097 - Pages: 9

Premium Essay

Riordan Enterprise Security Policies

...Riordan Enterprise Security Policies Tim L. Robinson CMGT/430 September 12th, 2011 Instructor: Dave Fedorchak Riordan Enterprise Security Policies Because Riordan’s facilities include three locations in the United States and one in China Smith Systems Consulting views Riordan Manufacturing as an enterprise business. However, an unfortunate reality exists because Riordan’s existing security policies are either nonexistent or inadequate at best for an organization of this size. Consequently, Riordan should seriously consider implementing better security throughout the entire enterprise by defining and creating a Separation of Duties (SoD). In fact, many organizations including the Department of Defense use SoD to decrease security vulnerabilities and discourage collusion by employees for a number of reasons (Gligor, 1998). Therefore, Smith Systems Consulting provides the recommendations and reasoning herein to encourage Riordan to adopt the concepts of Role-Based Access Control (RBAC) to create a SoD throughout the enterprise to reduce risk exposure and enhance Riordan’s enterprise security. Role-Based Access Control Since 2010, research by the National Institute of Standards (NIST) provides indisputable evidence that RBAC has become an increasingly common choice of enterprises with 500 or more employees (National Institute...

Words: 1129 - Pages: 5

Free Essay

Voip Security in the Enterprise

...However, with the demand for communication technology on the rise so is the need for additional security. This paper will look at the implementation of VoIP and the necessary security needed in the Enterprise for transmission of safe commination. In addition, this paper will also explain the many advantages and disadvantages (risk) of using a technology such has VoIP in the Enterprise. Implementation Tips VoIP can be very successful in the enterprise if it is done properly using the right techniques and technology that is the right fit for the organization. On the other hand, it can be very unsuccessful and a huge failure. Some companies when considering implementing voice over IP they fail to first make sure that the system is working properly before putting aside their grandfathered system, such as private branch exchange (PBX). As with any new technology VoIP too has security risk. Therefore, companies must also take into account the correct security policies before they implement VoIP which will aid the company in having a better protected device (Thermos, 2009). In addition, implementing security protocol should be an essential part when considering making the switch from traditional phone systems, and should also take into account the specific types of applications being use in the company. Some Administrator may presume that it is not important to put into place additional security techniques for VoIP since the transmission is digitized voice; which travels......

Words: 1279 - Pages: 6

Premium Essay

Marketing Plan for Weimos Enterprises

... Global Business Today – The Hofstede Study Eniye Olorogun Marketing 505 Dr. Harris Global Business Today – The Hofstede Study The Azure Sky Tea is an American company located in the Rocky Mountains. The herbal tea company boasts of a market share of 9 percent, but has plans to increase its market share through expansion into new markets. The company has a low-key culture and therefore must find markets suitable for this culture. The Hofstede model can help the company find suitable countries having similar dimensions as the United States (The Hofstede Centre, n.d). This is important because the company has plans to maintain its culture in the new office. The Hofstede Model gives national cultural scores for dimensions such as power distance, individualism, uncertainty avoidance, and masculinity (The Hofstede Centre, n.d). High power distance implies acceptance of power differences between members of society. Low power distance implies intolerance to uneven distribution of power and therefore there is need for sharing of power among different people (The Hofstede Centre, n.d). The power distance scores of Great Britain and Australia are 35 and 36 respectively. These scores are closest to United States score of 40. With respect to individualism, Great Britain, Australia, and United States have scores of 89, 90, and 91 respectively (The Hofstede Centre, n.d). These close scores imply Azure Company can operate without much challenges in the two......

Words: 941 - Pages: 4

Premium Essay

Security Plan

...The Security Plan The Floor Plan Name: Empire Purpose: Dance, Bar, VIP, Club Function: NightClub 13,000 Square feet, Two Story Building, 8 VIP Sections, Overlooking Balcony, Two Dance Floors, and Two Dance Cages, Front and Back Entrances. Our location is a prime for criminal behavior and we need to put an end to it. [www.empirelive.com] Threats, Risk Assessments and Counter Measures | | | | |THREAT |RISK |COUNTERMEASURE | | |Probability |Criticality |Total | | |Theft incl. Vehicles |5 |5 |10 |Security stationed outside monitoring| | | | | |activity. Plain clothed officers | | | | | |monitoring indoor and outdoor | | | | | |activity. | |Assault |9 |10 |19 |Plain clothed officers inside and out| | ...

Words: 1426 - Pages: 6

Premium Essay

Security Plan

...Security Plan Your Name CJS 250 Axia University of Phoenix Background This security plan is for a hotel, equipped with a mini mart and service station. The location of this establishment is off Interstate 95 in Jacksonville, Florida. Jacksonville, Florida is a popular tourist city and home of the Jacksonville Jaguars football team in which makes this a very lucrative position for this company. The hotel has two floors dedicated to 32 guest rooms. There are 15 employees, who are employed for the service station. The hotel employees 4 housekeepers, 3 managers, 4 security officers 6 clerks and 2 maintenance personnel. The total employees included in this security plan are 34 employees. Security Layout The security features in place include security cameras that are strategically placed throughout the premises, two way mirrors, parking lot lighting, security officers, door censors, smoke detectors and fire extinguishers. The security office and its’ personnel will monitor all cameras and receive the censor warnings that are placed on the entrance doors, stairways, elevator, pool and playground area. Each hotel room is equipped with a smoke detector. Both room floors are monitored with a security camera and have a fire extinguisher and first aid kit strategically placed. The elevator is equipped with a camera, smoke detector, fire extinguisher, first aid kit and a sensor. General Information. This essay includes the floor plan design for the hotel/ store, a list of......

Words: 1439 - Pages: 6

Free Essay

Security Plan

...The Security Plan The name of my target environment is Western Cash Advance. Western Cash Advance is an establishment that issues individuals payday loans. A payday loan is when someone is issued a loan until their next payday and a personal check is used as collateral. There is cash on hand in this business on a daily basis because they only issue cash to their customers as well as except only cash for payments. This store is normally run by two people but on many occasions there is only one employee in the store at a time. The basic floor plan to this business is an office space in a small strip mall that consists of three stores. The size of the store is approximately 900 sq. feet. It is one room that has a sectional desk where customers are assisted and another desk in the back of the room. The lobby consists of one big round table and six chairs that are situated around the lobby. There is a door on the back wall that leads to a hallway. In the hallway there is a bathroom and two storage closets. This business has a very basic open floor plan. When it comes to the current security features it is very limited. When going by the three models in physical security, which is the dynamic D’s, lines of defense, and internal/external threat identification, this business definitely needs some improvement (Clifford, 2004). The only security features that this establishment contains are a security alarm system, one motion detector, and one panic button. The outer perimeter has......

Words: 937 - Pages: 4