The case study company has provided you with the flexibility to identify many different information systems that are used by the employees. Some systems need strict access control while others should
0 Week 1: Introduction to Information Security Course Name and Number Project Name Student Name Date Table of Contents 2 2 Project Outline and Requirements 2 Organization Description 2 Project Requirements 3 Introduction to Information Security 3 The Need for Information Security 4 Potential Issues and Risks for Wi-Fi Environments and Cloud Technology 4 Security Concerns of letting Consultants to Work onsite 5 A Review of the Sarbanes-Oxley Requirements 7 Security Assessment (Week 2 TBD) 7 7 Access Controls and Security mechanisms (Week 3 TBD) 8 8 Software and Database Security (Week 4 TBD) 9 9 Network Security (Week 5 TBD) 10 References 11 Project Outline and Requirements Organization Description Trimart is a retail company based in San Jose, California. Since Trimart started expanding its retail business to other cities besides San Jose, it has faced new challenges in security management as new gateways that expose its intellectual property develop. The company has employed more than 200 employees and is looking to increase its IT infrastructure capacity to ensure there are no gaps in the business processes. Project Requirements Although the company has carried out due diligence to understand the industry and the various cyber-security threats that exist, it has not achieved the standards that authorities demand (Westerner et al., 2019). It has, therefore, created a task force to identify policies and regulations the business has not attained in security management to ensure potential risks are minimized. The project will focus on the process of identifying and implementing the right Cloud computing framework to guarantee cybersecurity. Introduction to Information Security The process of risk management for Tri-mart retail company involves controlling the negative effects of natural catastrophes such as earthquakes and guaranteeing that all employees and customers will interact and remain vital stakeholders to achieve objectives set (Westerner et al., 2019). Therefore, information security enhances defense against potential risks of rogue employees, malware, traffic interception, and phishing attacks. The Need for Information Security Since the company will have an online presence to cater to online shoppers, it will try to mitigate attacks by Cybersecurity criminals who want to steal customers’ information such as address or credit card information (Lee et al., 2016;Gangwar, 2017). Therefore, the new project will help educate employees on proper online practices and guarantee that teams working in remote places will remain effective in their work. Data will also be effectively consolidated and help Tri-mart in its expansion plans. Therefore, the core functions of the management will get enhanced, and less time and resources will be used to guarantee information security. Growth and profits will grow as a result. Potential Issues and Risks for Wi-Fi Environments and Cloud Technology The limited visibility and monitoring in the network operations might lead to illegal transactions that might undermine the company’s growth. The risks associated with data loss are not completely eliminated; therefore, the business should remain alert (Gangwar, 2017; Boiko et al., 2019). Compliance by regulatory bodies is becoming stringent, leading to periodic upgrading that might increase costs. There is a risk that a cloud vendor might not reach the quality standards. Therefore, due diligence procedures are necessary. Security Concerns of letting Consultants to Work onsite The project will face several challenges regardless of the number of experts and consultants placed on site. Although the “Pay as You Go” model will offer opportunities to reduce costs by vendors, there are surprise gaps that will increase costs. Therefore, cost management is a challenge that consultants will look out for. Interoperability and Flexibility are features that the company is looking to have in the project (Boiko et al., 2019). Therefore, changing one cloud solution to another will be easy, and information security features will achieve the demanded quality. Therefore, the consultants have to have the required level of knowledge and expertise to ensure quality is achieved and costs and maintained. The recent IPO will increase the demands and expectations of stakeholders; therefore, the company has to sustain a positive image to the public. Investing in an Information Security framework that guarantees open and transparent financial reporting is the most important goal (Kim et al., 2017). Compliance with all the legal needs remains a priority; otherwise, the expansion and growth objectives will be kept on hold. The distractions caused by an IPO process might open gateways for IT attacks. A Review of the Sarbanes-Oxley Requirements Security Assessment (Week 2 TBD) Access Controls and Security mechanisms (Week 3 TBD) Software and Database Security (Week 4 TBD) Network Security (Week 5 TBD) References Boiko, A., Shendryk, V., & Boiko, O. (2019). Information systems for supply chain management: uncertainties, risks and cyber security. Procedia computer science, 149, 65-70. Gangwar, H. (2017). Cloud computing usage and its effect on organizational performance. Human Systems Management, 36(1), 13-26. Lee, C., Lee, C. C., & Kim, S. (2016). Understanding information security stress: Focusing on the type of information security compliance activity. Computers & Security, 59, 60-70. Oh, K. W., Jeong, S. W., Kim, S. M., & Yoo, S. W. (2017). The Effect of IPO Risks on Auditors’ Decisions: Auditor Designation Case. Australian Accounting Review, 27(4), 421-441. Wulf, F., Strahringer, S., & Westner, M. (2019, July). Information security risks, benefits, and mitigation measures in cloud sourcing. In 2019 IEEE 21st Conference on Business Informatics (CBI) (Vol. 1, pp. 258-267). IEEE.
The case study company has provided you with the flexibility to identify many different information systems that are used by the employees. Some systems need strict access control while others should
Week 2: Security Assessment Course Name and Number Project Name Security Assessment Student Name Date Risk Associated with Company Application and Resources A description of typical assets The company’s specific information security (IS) asset include information system hardware, including servers and desktops, laptops, mobiles, and internet of things devices. These are systems that have direct access to the private network. A private network is any link within a specific network with constraints in place to create a secure environment. Furthermore, the firm has other IT assets such as software used by the program in the computer system, digital information, which consists of data assets, and a Guest Wi-Fi Network. The typical assets are linked to a demilitarized zone (DMZ), which is a perimeter network that protects and provides extra levels of security to an organization’s internal local area network from untrusted traffic (Dart et al., 2014). Current risk in the organization with no network segregation The common network allows computers in the demilitarized zone (DMZ) to access all other systems on the network and vice versa, defeating the purpose of having isolated segments (Dart et al., 2014). The company’s inadequately safeguarded quest Wi-Fi network exposes the company to security risks by allowing access to the internal network (Sundaram et al., 2019). This vulnerability allows attackers to search the internal range and identify the fingerprints of running services. A shared network can expose an organization to security risks, especially if insecure peer-to-peer file sharing is used. The operating system provides less protection when exchanging files from one machine to another within the same network. As a result, network-aware worms and viruses will use unprotected shared folders to spread from one system to the next within a LAN or WAN. The company’s assets are not effectively protected because the corporation may not have a robust password policy, making it easy for a hacker to guess. Corporate laptops are frequently connected to various networks, including client networks, exposing company assets to security risk. When the computer is connected to a less secure internet connection or dial-up internet connection, hackers can bypass any server-level safeguards, exposing the corporate network to email-borne worms, Trojans, and viruses (Sundaram et al., 2019). Finally, possible big security concern is an unpatched corporate server with a server system that is either open to the internet or has no direct access to the internet. The company may employ free client software such as internet explorer, outlook express, and outlook, which feature security vulnerabilities that can be exploited by a vast number of variations on a worm or viral code (Sundaram et al., 2019). The variants will usually slip by anti-virus software for a few days before anti-virus makers add their signature to their program. Security risk that new consultant network will create The organization would like to provide a flexible method for the consultant to connect to the network in order to complete his risk model. The flexible option for consultants who want to connect to the network outside of the common shared network only exposes the corporate system to warm and viral code viruses from their network system. Warms may use the internet connection and client software to infect the company’s corporate assets. How to test for risk and conduct a security risk assessment The security testing will be organized around essential elements such as assets, which are items that must be safeguarded, such as software applications and computer infrastructure, threats, and vulnerabilities, which are activities that can damage an asset or weaknesses that can be exploited (Landoll, 2021). Security testing processes include vulnerability scanning to detect software components and analyze vulnerabilities in order to identify risks to the enterprise and assist with remediation. Penetration testing can be used to evaluate existing security by simulating a real-world assault on an application, program, system, or network. The testing makes it simple to uncover unknown vulnerabilities, such as zero-day threats and business logic flaws. Also, performing web application security testing is necessary to detect whether a web application is attackable. This testing strategy will identify system vulnerabilities and faults and investigate the success of exploiting these issues. Configuration scanning can be used to detect the software, network, and computing system misconfigurations (Landoll, 2021). The risk identified through the outlined process will be analyzed to determine how frequently the threat may occur. The risk is evaluated to see if it falls within the predetermined level of acceptable risk and then responds to using existing controls by accepting, mitigating, transferring, or terminating the risk (Landoll, 2021). The decision will be made based on the level of risk discovered. Regular visits are required to ensure that vulnerabilities are discovered on time, and that suitable measures are put in place to prevent them. Risk Mitigation Risk mitigation measures that can be done include adding more hardware or software firewalls that will block and discard any unexpected traffic entering the network. Install an application like zone alarms to detect any unusual outgoing traffic; however, this must be done on each individual workstation (Taha et al., 2016). Another risk-mitigation strategy is to conduct regular risk assessments to identify vulnerabilities. Once frequent assessments are performed, it will be feasible to identify any weaknesses in the organization’s security controls and provide insight into the assets that must be secured. The firm should think about deploying firewalls and antivirus software, which entails installing security solutions such as firewalls and antivirus software. The company should also consider developing a patch management schedule. The proper patch management plan assists the company’s IT security team remain one step ahead of attackers (Taha et al., 2016). Proactively monitoring network traffic and having an incident response strategy in place will make employees aware of what they must do in the case of a data breach or attack. References Taha, A. F., Qi, J., Wang, J., & Panchal, J. H. (2016). Risk mitigation for dynamic state estimation against cyber attacks and unknown inputs. IEEE Transactions on Smart Grid, 9(2), 886-899. Dart, E., Rotman, L., Tierney, B., Hester, M., & Zurawski, J. (2014). The science DMZ: A network design pattern for data-intensive science. Scientific Programming, 22(2), 173-185. Landoll, D. (2021). The security risk assessment handbook: A complete guide for performing security risk assessments. CRC Press. Sundaram, J. P. S., Du, W., & Zhao, Z. (2019). A survey on Lora networking: Research problems, current solutions, and open issues. IEEE Communications Surveys & Tutorials, 22(1), 371-388.