1.

Traditionally, managing IT security and physical security have been treated as

two separate domains. Why should they be integrated?
Advos, Inc. is the largest service provider of the direct mail advertising services in the United
States and it has the largest commercial user of United States Postal Service standard mail.
If we talk about the security of the Advos company environment, its must that we should have
to focus on Physical and Information security assets because the requirement of the companys to
integrate both of them. Though, physical security emphases on the protection of physical assets,
the personnel and the facility structures i.e. this involves managing the flow of individuals and
assets, etc. where IT security focuses on the protection of information resources primarily known
as computer and telephone systems and their data networks too. This involves managing the flow
of information into, out of and within the facilities of IT systems, which includes human access
to information system and their networks. So, its very clear that these are two separate
domains. Its true that many of the physical and the IT security processes and or procedures must
be integrated at the technology level where is no any technology that defines the integration. The
business processes and procedures define it and the technology implements it. That's why, first
step in integrating the physical and the IT security is an examination of security-related business
requirements for the physical and IT security processes which support them. The integration of
the business processes will determine more effectively with the integration of the physical
security and the IT technology.

2. Why is top management's awareness and support essential for establishing and
maintaining security?
Its basic need for an organization, essentially a support from high level persons like CIO (Chief
information officer), CFO (chief finance officer), CEO (chief executive officer), etc. because
they are only the people who have the authority to take right decisions accordingly and or can
take business aspects for the company to expected level of growth. Where companys CIO can
take the decisions of IT strategies and securities within the organization and can provide the
effective solution to the problem.


3. Why should those responsible for leading the organization's security efforts be
placed high in the organizational chart?
If there is less or no security measures then there is no one way to become a success and these
security includes; physical, informational, personal employees, organizational level, projects
threats, etc. all of them are essential measures and should be consider as high priority. Hence, the
people involving in those concerns should have the high position within the organization because
every organization dont want to see any unexpected risks at the end level.


4. The first decision made by Advo's top management in the aftermath of the 9/11
attacks was to improve physical security. Why was attention focused on this
particular aspect of security?
In an attempt of 9/11 attack for scaring the public with a looming cyber-attack on US
infrastructure, US Homeland Security Secretary is once again pushed Congress to pass
legislation allowing the government to have greater control over these threats.
In general, this decision needs to be taken before the attack but government was not aware of that
type of physical attack could be possible and it made hazardous situation to the people of the
country. So, it had been became a need to control over them in coming future and Advo's
decided to take an initiation towards this concern and made few general security rules for
physical security of the people of the country. Moreover, The White House senior members are
also working on an executive order that would encourage companies to meet government cyber-
security standards.

5. What are the advantages and disadvantages of using consultants and third-party
organizations to provide security-related services? What reasons would a company
have for hiring consultants to provide guidance for its security efforts?
There are numerous advantages by using the consultants and third-party organization to provide
security-related services.
One advantage for Advos, using such services as it would allow them to save their money by
having a controllable expense since their contract and would be a determined price for an already
set amount of time. Security assist from third-party organizations and consultants normally
would bid for a contract to work for Advos and there bidding process would allow the company
to decide how much amount they are willing to spend for their security related services. Also the
company will not be responsible for providing the services like; health insurance, workers
compensation and insurance or any other expenditures to those employees as it would all be
handle by this security company.
Another advantage for Advos is that they can be more productive. The company would not
have to focus on any security related aspect such as hiring, firing and or training which would
allow them to use their personnel more effectively to accomplish more but ultimately what trying
to explain is that, Advos would not have to hire more employees and can use their current ones
to oversee any aspect related to the security services. This would definitely free them up to
essence on their other aspect of the business.
There are numerous disadvantages for using consultants and third-party organization to
provide security services. One disadvantage for Advos is, using such services will be that they
dont direct control of the personnel used by the security provider. Advos has no say, whose
should be hired and or fired from the company nor say on what kind of the people can be hired
by security company. Therefore, I can say that before agreed to contract with a security provider,
Advos would examine all of the odds and their ends of the company which include their hiring.


6. Why is it a good security practice to have few visitors in a reception area?
Any visitor first meet at reception and first need to come on reception before moving inside
the organization so first they after require to perform few required formalities. Few policies for
visitors to the government department as well as company premises as defined below:
a) All Visitors met by their employee sponsor at the time of Check-In and sign two copies
of Visitor Agreement.
b) They cannot request information which does not belong to their visit or the work being
performed confidential.
c) All Visitors must arrive at a designated Check-In entrance only.
d) Visitors requiring access to areas controlled by swipe card access locks should arrange
temporary cards with their limited time.
e) Visitors are not permitted to take photographs inside of companys premises, unless
discussed specifically with sponsoring employees.


7. Identify the security risks involved in allowing networked systems to be used by
large numbers of temporary employees who do not need to log in. What password
XXXXX should be implemented for stronger user authentication?

For controlling the security threats of the network, there is network security guidelines for new
or temporary users as mentioned below:
a) User are responsible for exercising good judgment regarding the reasonableness of
personal use of network.
b) All equipment should be secured with a password-protected screensaver with the
automatic activation feature.
c) Companys network administration desires to provide a reasonable level of privacy and
users must be aware that the data they create on the corporate systems remains the
property of company.
d) Passwords should be secure and do not share accounts.
e) Copying unauthorized, of copyrighted material should have an active license which
strictly prohibited.
Password should be strong for all the employees by providing the encryption terminology
and should not share at all. And in general,
It should have at least one special character with alphanumeric characters.
It should be case-sensitive.
Encrypted password should be send over the network when login to their account.

8. How far away should a backup site be located from company headquarters?
What factors should be considered in determining the location of a backup site?
Planning the location of the back and recovery site is an integral part of the overall process of
disaster recovery planning and business continuity planning. In today's world where volatile
business and the political climate, where many organizations are re-examining the importance
which location plays in developing a recovery site. Although there remains no single overriding
standard and both federal government and the private industry have been developed new
guidelines that can be helpful in deciding the optimal distance between data center and its
recovery or back site which is based on the various studies conducted over the past years and it is
also clear that the placement of the recovery site too far away from the main data center could be
just devastating if placing it too close. Hence it depends upon the business requirement so by
taking care of all the factors, it should be decide to locate it too far or too close.

9. Advos believes that frequent audits help to ingrain a security mindset among
the company's employees. What other benefits are there to performing frequent
security audits?

If there is frequent audits in Advos would be take place for the security concerns then there is a
less chance of any attack which can caused a hazardous situation to the company. Few benefits
of frequent audits as described below:
It can assist for improving the process of security for both physical as well as information
security respectively.
Continuous monitoring also helps to prevent any future attacks as earlier were 9/11
attack.
Security workers would work effectively because of timely inspection of their
department.
Concerns are measured and can take decisions by the high-level authorities which include
people like; CIO, CSO, etc.
Employees or workers can feel that they are safe and companys has been taking
initiatives and monitoring each and every activity.


10. Research the role of Software House in the Open Security Exchange (OSE).
What is the purpose of the OSE?
The purpose of the Open Security Exchange is to combine disparate technologies which form
today's security infrastructures to optimize security investments and increases the operational
efficiency. Effective security management will result including; accurate detection of any threats
and attacks, consistent definition and enforcement towards the security policies and used to
enhance the organizational collaboration.
The purpose of effective security management by OSE:
Support all of the technologies which comprise an organizations security infrastructure.
For example: OSE promotes the integration of physical and IT security.
Enables organizations in the private and public sectors to maximize the organizational
security while optimizing efficiency. The OSE also promotes realistic specifications to
address all types of security issues or challenges.
Allows organizations to adopt the best practice of security policies and procedures and
also helps reduce the occurrence of organizational security incidents and contributes to
consumer confidence by using online transactions and ecommerce services.