Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
1. Introduction ........................................................................................................................2
2. Define principles of information security ...........................................................................3
2.1 Information Security Definition .......................................................................................3
2.2 Information Security Principles and Aims ........................................................................3
2.3 Policies .............................................................................................................................4
2.4 Standards and Procedures ...............................................................................................4
2.5 Baselines and Guidelines .................................................................................................5
3. Develop information security policy ......................................................................................6
3.1 Security risks to Polytechnic Research Hub (PRH) ...........................................................6
3.2 Risk Management Strategy ..............................................................................................6
3.3 Security position ..............................................................................................................8
3.4 Developing best practice policy .......................................................................................9
3.5 Controls and Solution to risks ........................................................................................10
4.Conclusion and Recommendations ......................................................................................12
5. References ........................................................................................................................13
6. Appendix ..............................................................................................................................14
6.1 Reference List.................................................................................................................14
6.2 Digrams ..........................................................................................................................15
SayedQasim Alsharkhat 201400937
1. Introduction
The aim of this report is to give a background and explanation about information security,
also it is going to analyze some information security sub topics, the meanings and
definitions will be used to discuss Polytechnic Research Hub (PRH) case and risks for the
building. Recommendations and solutions will be provided in the report.
First of all, the first section of this report is going to cover information security definition,
principles and CIA triad. Also, it will focus on the main components of information
technology policies, methods and algorithms.
The next section of this report is going to cover the case study of Polytechnic Research Hub
(PRH), security risk management and awareness will be discussed, level of risk and solutions
in term of policies and controls to be applied.
At the end, the report is going to list some recommendations and conclusion based on the
security risk level to solve the problems, also, Appendix and references will be included at
the end of the report.
SayedQasim Alsharkhat 201400937
Confidentiality:
By the meaning of the word itself, it will be understood that if you are confident to share the
information with different users or not. Also, it manages the visibility of the data for different
users, this facility is going to depend on the permissions has been set and the level of
visibility of the data, also it works on making sure that only trusted and authorized people are
having access to the data, and this how the company feel confident about the data and ensure
the data confidentiality. One of the ways that companies use, is to access controls, encrypt
data and classify information.
Integrity:
In this principle, the main idea of it is to deal with accuracy of data by keep tracking the
information changes and progress and make sure that the information has not been modified
from one location to another.
Taking backups to restore the corrupted data is one of implementations of this principle,
where access controls and checksum are another way to implement integrity.
SayedQasim Alsharkhat 201400937
Availability:
This last principle mainly deals with maintaining the system software, operating system and
hardware, it makes sure that only authorized users and users who have permission are
manage to access the data, also it confirms that data are available and accessible and ready to
use whenever needed.
Keeping the system updated is one of the ways to implement availability principle, although,
recover plans are important to take regular backups to avoid any problems with losing the
data.
2.3 Policies
Policies are basically information and instruction that have been issued from the management
of the company to the employees and other people connected to the company, these
instructions must be followed to make sure that the company is safe and to solve any issues
and deal with situations, also it helps the employees to make future and present decisions, in
other form, policies are also called business rules.
Information security policies could be different form a company to another, but on the other
hand, there is a general police document that may have some statement and policies that most
of companies apply.
These general policies might include:
Finally, policies can be divided into many areas such as firewall, authentication, access,
human resources, maintenance and accountability.
Guidelines leads the company to provide security system management. For example: guiding
the employees to shut down their computers and locking their office’s door when leaving the
company. to avoid cyber-attacks and threats, keeping the system updated and apply
Anti-virus for the software and firewall.
Keeping the employees aware of all the security rules, methodology and guidelines
employees needs to follow, in case any problem they should reporting it directly.
SayedQasim Alsharkhat 201400937
All of these security risks are going to be discussed in details in the next section where is
going to be level of the risk description of each risk by the management strategy.
One security guard The company is taking a risk by having only High
for each building one security guard for each building, the
physical protection should be improved to
protect the company data and assets.
The location near The location of the company nearby an open High
by the car parking area, where visitors and guests are allowed to
and the public access freely to the research department, that
road. could represent a threat on the company data.
Outgoing traffic Attackers and hackers may take the chance to Critical
are allowed by the attack the company because of allowing the
firewall outgoing packets which comes from the
internal network.
Users have the In this situation there will be no confidentially in Medium
access to most the company, where users can have access to
data of the information that not connected to his work which
company makes the system vulnerable.
The web server is It is basically means that the company are Critical
directly connected using a public IP address where it is much
to the internet easier for the attacker to attack the system and
the web server.
The use of the E1 Any visitor or employee could connect to the Medium
connection for the company network by connecting to it using the
corporate network internet wire, by that the company’s network is
going to be easily accessible.
Guest can move This a huge risk taken by the company, where Critical
between the anybody of the visitors can access a forbidden
buildings freely room and access the company data and
information.
The use of a It means that there is no backup route High
single network connected, which means that the connection
internally and the flow at risk if one connection fall down,
SayedQasim Alsharkhat 201400937
Also, there are different assets that can be targeted by the attackers and hackers in the
company which are divided into two sections; tangible and intangible assets.
Tangible: it includes the servers such as Database, Emails, Infrastructure, File and
specialized. Also, desktop computers could be attacked and equipment with special
production.
Intangible: the intangible assets for the company are the company information and assets that
could be accessed through the computers, and that can lead to access the storage servers
where are located in the building.
Asset Threat
Programs The possibility of getting hacked.
Office Building The research department is nearby a public road and car park
which could cause a potential threat.
Production Equipment Exposure to theft and damage.
Furthermore, the company can improve some security features by improving the firewall to
block the outgoing traffics. also, encrypting the messages around the company network could
be a very good security function and make the company security harder to break from the
hackers.
SayedQasim Alsharkhat 201400937
Maintenance Policy
There should be a monthly backup for the company’s system information.
Access Policy
The visitors should not be allowed to access some special room such as the server
room pf the company.
The people who should have access to the server room are only the networking
department employees.
Accountability Policy
Each employee should be sure to shut down his computer before leaving.
The company should take security procedures against the employees if they damaged
equipment or breached information.
The employees should take the responsibly of maintain the information security of the
company.
Authentication Policy
Each user and employee should have a user name and password to avoid any
unauthorized access.
Any business partners should have access only for the needed rooms when there is a
work between both companies.
For accessing the confidential rooms, the company should implement finger print to
avoid unauthorized access.
Technicians should be hired in the company to have monthly review of the system
status.
The company should hire 2 security guards.
Each guard should take the responsibility of the security for one floor.
SayedQasim Alsharkhat 201400937
Physical controls: the server room in the company should be locked to avoid any
unauthorized access, also by hiring 2 security gauds where each guard should be
responsible of one floor in each building which will make the buildings safer than
before.
Networking controls: the company should divide the according to each department in
the company.
Preventive controls: providing standing by power supply in case of losing the power
outage.
Corrective controls: restoring backups if there is a failure in the system and restores
the system to the normal states.
Security controls: the company should make sure of keeping the system updated.
Procedural controls: the employees should take the responsibility of the information
technology and collaborate with each other to improve the company’s security.
SayedQasim Alsharkhat 201400937
Risk Solution
The firewall all0owes outgoing Setting a firewall police, filtering and firewall blocking
traffic (Technical controls)
The accessibility to most of the Make the access limited (Authentication policy)
data by the users
The usage of VPN by the business Set limits for both employees and business partners
partners and the employees (Authentication policy)
The visitors can move around the Set fingerprints for the special rooms (Authentication policy)
buildings freely Set an access limits for the visitors (Access policy)
Set locks for all the rooms (Physical controls)
One security guard for both Increase the security by hiring more guards (Human recourses)
buildings Set two guards in one building (Physical controls)
The usage of single network Divide the network around the company departments
(Networking controls)
The location of the research Set fingerprints for access (Authentication policy)
department Set an access limits for the visitors (Access policy)
Set locks for the room (Physical controls)
E1 connection Employees should take the responsibility (Procedural controls)
Set limits for the visitors to access (Access policy)
SayedQasim Alsharkhat 201400937
My recommendations for the company is to follow the controls and policies in orders to solve
all the security problems, especially to use the firewall to block all the outgoing traffics.
Also, the company should be solving the problem of allowing the guests to move freely
around the building which can cause a lot of security issues to the company where access
controls should be implemented in order to solve the authentication issues. On the other hand,
privet addressing should implemented to the company network rather than using the public
network which cause problems from the hackers.
Physical security is very important for the company, where the company should hire more
security guard to improve the physical security of the company, where two guard should take
the responsibility of one building, which will make the thieves operation very difficult.
The company should follow the recommendations, policies and controls in order of safe place
and information, the implementation of the recommendation, policies and controls will lead
the company to bright, safe and future full of success were security is very important for all
the companies around the world.
SayedQasim Alsharkhat 201400937
5.References
Beaver, K. (2015). The Importance of a Security Culture Across the Organization. Security Intelligence.
Retrieved 14 October 2017, from https://securityintelligence.com/the-importance-of-a-security-
culture-across-the-organization/
Brink, D. (2017). A Strategy Map for Security Leaders: People, Processes and Technologies. Security
Intelligence. Retrieved 12 October 2017, from https://securityintelligence.com/a-strategy-map-for-
security-leaders-people-processes-and-technologies/
Perrin, C. (2008). The CIA Triad - TechRepublic. TechRepublic. Retrieved 17 October 2017, from
http://www.techrepublic.com/blog/it-security/the-cia-triad/
Rouse, M. (2014). What is confidentiality, integrity, and availability (CIA triad)? - Definition from
WhatIs.com. WhatIs.com. Retrieved 14 October 2017, from
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
Seacord, R. (2011). Top 10 Secure Coding Practices - Secure Coding - CERT Secure Coding Standards.
Securecoding.cert.org. Retrieved 14 October 2017, from
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+secure+coding+Practices
Wood, C. (2005). Information security policies made easy version 10. Houston, TX: InformationShield
SayedQasim Alsharkhat 201400937
6. Appendix
6.1 Reference List
Beaver, K. (2015). The Importance of a Security Culture Across the Organization. Security Intelligence.
Retrieved 14 October 2017, from https://securityintelligence.com/the-importance-of-a-security-
culture-across-the-organization/
Brink, D. (2017). A Strategy Map for Security Leaders: People, Processes and Technologies. Security
Intelligence. Retrieved 12 October 2017, from https://securityintelligence.com/a-strategy-map-for-
security-leaders-people-processes-and-technologies/
Perrin, C. (2008). The CIA Triad - TechRepublic. TechRepublic. Retrieved 17 October 2017, from
http://www.techrepublic.com/blog/it-security/the-cia-triad/
Rouse, M. (2014). What is confidentiality, integrity, and availability (CIA triad)? - Definition from
WhatIs.com. WhatIs.com. Retrieved 14 October 2017, from
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
Seacord, R. (2011). Top 10 Secure Coding Practices - Secure Coding - CERT Secure Coding Standards.
Securecoding.cert.org. Retrieved 14 October 2017, from
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+secure+coding+Practices
Wood, C. (2005). Information security policies made easy version 10. Houston, TX: InformationShield
SayedQasim Alsharkhat 201400937
6.2 Diagrams
Level Description
Low The damage is not very harmful on the business systems. It is not high
priority but it should be discussed
Medium These risks should be solver after the high priority risks, where in this
situation, the attacker would have important information which will help
them during the attack.
High In this moment, the attackers will gain access to the companies’ data and
information, the company should take fast action to solve these risks unless
there are other critical risks.
Critical In this situation, a real effective hazard will have caused by the attacker on
the company, where they will have very sensitive information that will
cause a harmful effect on the company, these kinds of risks where the
company should deal with immediately to solve it.