Security Policies and Security Design Project for World-Wide Trading Companys

Abstract

In this paper, the author provided a security policy and guideline for World Wide Trading Companys (WWTC) network system. The firm is opening a new firm in New York City. A network design has already been designed by a consultant, and this guideline was aimed at providing security for the same. It was found that information is one of the most valuable assets held by WWTC. The asset needs to be protected by adopting the proposed security guideline. The firm holds sensitive data that may be used by intruders to compromise the operations of the company. A total of 12 policies were identified for this guideline. They include, among others, the use of 802.11 encryption, adoption of IPSec-based VPN, and use of strong passwords. The protocols will be used to deal with 4 primary attack categories that were identified. The attack categories include reconnaissance attacks, access attacks, DoS, and the use of worms, viruses, and Trojan horses. Three clusters of security control guidelines will be used to support the effective implementation of the current security guideline. They include management, technical, and operational controls. For the effective implementation of this security guideline, 4 recommendations are made. To this end, WWTC should establish and update its security policies and practices, design for security, logically separate internal networks, and restrict unnecessary protocols.

Key words: security guidelines, security policies, LAN, WLAN, VoIP

Security Policies and Security Design Project for World-Wide Trading Companys: LAN, Wireless, and VoIP Network

Introduction

Background Information

World-Wide Trading Company (WWTC) is a large online brokerage firm located in Hong Kong, China. The company has more than 9000 employees located in different parts of the world where it has its operations. Recently, the brokerage firm has recorded tremendous growth in its business. As a result, the management intends to establish a regional office in New York City. To this end, the company has leased an entire floor in a building on Wall Street. The director of the IT Department has been tasked by the President of the company to set up a state of the art network by the end of 2018.

Based on the technical and business goals of WWTC, the director of IT Department has designed a state of the art network at the Wall Street location of the company. In this paper, a network design that solves the current security audit problems identified in the New York branch is provided. In this security policies and security design for the firm, the author will specify organizational security policies, standards, procedures, and guidelines in compliance with appropriate laws and regulations. To this end, a network security design implementing the identified security policies will be laid out.

Objectives of the Security Policies and Security Design

The following are the objectives of the current network security design for WWTC brokerage firm:

Determine the most important assets of the company, which needs to be protected

Identify the general security architecture for WWTC

Develop a list of 12 specific policies to be used in the security policy document

Develop a high availability secure design for WWTCs Wall Street branch, which will address the identified considerations. The secure design will mitigate against 4 primary network attack categories.

Determine the specific roles of various devices in the security design

Come up with a high level network security design for WWTCs New York branch.

The Status of the Current Network Security at World Wide Trading CompanyIt is noted that WWTC has strong security requirements at other locations, such as those in the firms headquarters in Hong Kong. The requirements are made evident in the network diagram in Appendix 1. However, the new network design at the firms New York office will need to move to a significantly more secure level than what is currently available at the company. A number of security issues have been identified at the other locations, which will need to be addressed in the current design network. The issues include lack of strong authentication, data confidentiality, and the separation of internal protected server and public server.

A security audit at other WWTCs location has identified the following issues, which will be addressed in the proposed network security design:

Email has been used inappropriately at times to communicate business sensitive information

Confidential business information and public data in most locations are connected to the same physical network

End users systems had inappropriately housed confidential data, which should have resided only on servers. In addition, some of the end-user systems were found to be laptops, which had left the facility in clear violation of security policies.

Some logical control systems were found to rely on username and password combinations only

Some sensitive business information was found to be transmitted in clear text between server and client

The Most Important Assets that Need to be Protected at World Wide Trading Company

According to Phifer (2018), the identification of assets that require protection is a hectic task with regards to information security. In fact, some security experts regard this process as a less glamorous aspect of information security. However, to come up with an effective network security design, it is important to identify and classify the assets held by the company. It is the only way through which the current security plan will be able to determine the resources required to secure each of the assets (Paquet, 2013). As such, the director of WWTCs IT department will identify the assets of the company at its New York offices. Their location and value will be determined.

To come up with a clear picture of WWTCs assets, four steps were involved in the classification and control of the said assets. The first step entailed the identification of the assets. Here, the critical assets were identified, as well as their value to the company. To this end, the plan identified the assets that are critical and essential to the operations of the firm (Paquet, 2013). As such, the management will be able to take appropriate measures to identify the level of security to be provided in protecting the assets. The next step entailed the accountability of assets (Reisman & Ruebush, 2004). To this end, it is recommended for the management to have a fixed assets register for the purposes of accounting for these properties. However, this may be a bit difficult for information assets, which are the main focus of network security protocols. The reason is that there are various end users for these assets. However, it is the owner of the said asset who bears the responsibility of accuracy when it comes to the security of these assets.

The third step in the identification of WWTCs assets entailed the preparation of a schema for classification (Mookhey, 2018). The aim of this schema was to come up with classification levels of the assets identified. To this end, the confidentiality aspects of the identified assets were highlighted, including the level of access to the same among individuals working for WWTC. The value, time sensitivity, access rights, and destruction of the assets were identified. Finally, the fourth step entailed the implementation of the classification schema. The aim of this implementation is to ensure that a uniform protection is provided for the assets so identified (Mookhey, 2018). For instance, the firms network security design and security policies document was identified as a confidential asset, which should be protected against access from unauthorized third parties.

The major focus of this network security design is the protection of the firms information and communication technology (ICT) assets. To this end, four categories of assets, which need to be protected, are identified. A detailed list of the assets identified is provided in Appendix 2 (Equipment List) and Appendix 3 (Equipment Inventory). The lists include physical, services, software, and information assets. A detailed analysis of these assets is provided below:

Physical Assets

According to Reisman and Ruebush (2004), physical assets include the visible and tangible equipment owned by the company. The following are the physical assets that will be protected and covered in the current network security program:

Computer equipment

The equipment includes mainframe computers and servers owned by WWTC, and which will be used by the personnel in the New York office to carry out their activities. They also include desktops and notebook computers. Each of the employees working for the company will have access to a computer, either a laptop or a desktop. The employees also need to communicate with their colleagues within the building and in other locations using the computers, which brings on board the servers, which need to be secured.

Communication equipment

The communication equipment to be used by WWTC includes modems, routers, EPABXs, and fax machines. All of these physical assets need to be secured to enhance the operations of the firm.

Technical equipment

These are the equipments that provide technical support to the firms network. They include, among others, power supplies and air conditioners.

Storage media

Another form of physical asset that needs to be protected is the storage media to be used by the company. To this end, the network security program will protect the companys magnetic tapes, disks, CDs, and DATs among other forms of storage media.

Furniture and fixtures

The computers and servers will be mounted on desks and racks. Other fixtures that need to be secured include the server rooms and server farms, and the rooms within which the computers and other gadgets will be stored and located.

Information Assets

World Wide Trading Company has a wide...