
Follow the instructions and help me with this project?
ans 1.
Access review for physical,network,VPN,system,database, and
application
Physical security:-
a)The building, having the IT infrastructure, should full fill the
norms of government of the country.
it is necessary to deal with accidents such as
Fire,earthquake.
b)There should be a team of security personals headed by a security
officer to provide protection inside the company's premises.
c) There should a proper policy to cope up with the situation arose
after the physical attack.
e)each resource of the company should be uniquely identifiable
including employees(I cards of employees)
f)Monthly report(showing the status of resources) should be
generated(at departmental level) and verified by concerned
authorities
Network/VPN security:-
a)There should be proper installation of /anti virus/fire
walls/proxy servers/Intrusion detection system.(IDS).
b)Employee should not be allowed to use their own modem to get
internet connection(through their mobile phones)all the
communication should be allowed only through company's proxy
servers/firewalls.
c)Virtual private network(VPN)uses encryption,but communication
should be performed via company's proxy server/firewall
System security:-divide all the systems into groups,and every
group should be assigned to one person.
this person is supposed to communicate the status of every system
on monthly basis to the concerned authority.
Systems should be physically protected, and anti virus should be installed.
Database security:-The key person is database
administrator.there are two types of access control policies
1.Discretionary access control(DAC)
2.Mandatory access control(MAC)
MAC policy should be applied,because,according to this policy,
access rights are granted according to level of authority.
for example,a clerk should not be allowed to view the information
of company's budget.
the servers/machines having the database should be protected
(physically/logically).
data base should be protected against SQL injection, and other
types of attacks.
There should be proper arrangements for data backup and recovery.
Application Security:-Application, accessing the sensitive data,
should be protected.
important practices are
a)use only strong passwords
b)change passwords frequently and so on
ans 2
there should be a procedure to examine the list of terminated
employees.
a)such as reason behind the termination.
b)friendship between the terminated and currently working
employee.
it is required to avoid data theft/social engineering.
there should be a procedure to monitor the activities currently
working employees by maintaining the log.
any suspicious activity(employee spends more time on computer than
usual timings) should be reported immediately.
ans 3
a)audit should be performed by internal team as well as external
team(Internal/External Audit)
b)report of internal audit should be compared with the report
generated by the external audit.
c)analyze the variations.
all the above audits/reports should be well documented and signed by the concerned authorities.
Additional Requirements:
a)Training Programs
to educate the employees about security threats.
to educate the employees about cyber laws.
to educate the employees about IT ethics.
Important issue:
It is always difficult for IT Manager to convince the top
management to invest in security system.
IT manager should try to prove that the value of information/data
is much more than the price of security system.
Follow the instructions and help me with this project? Case Project 7-3: Quarterly Review of Access Rights As a consultant with the Security Advisors Co., you have been asked to develop a process for...