SayedQasim Alsharkhat 201400937

Table of Contents
1. Introduction ........................................................................................................................2
2. Define principles of information security ...........................................................................3
2.1 Information Security Definition .......................................................................................3
2.2 Information Security Principles and Aims ........................................................................3
2.3 Policies .............................................................................................................................4
2.4 Standards and Procedures ...............................................................................................4
2.5 Baselines and Guidelines .................................................................................................5
3. Develop information security policy ......................................................................................6
3.1 Security risks to Polytechnic Research Hub (PRH) ...........................................................6
3.2 Risk Management Strategy ..............................................................................................6
3.3 Security position ..............................................................................................................8
3.4 Developing best practice policy .......................................................................................9
3.5 Controls and Solution to risks ........................................................................................10
4.Conclusion and Recommendations ......................................................................................12
5. References ........................................................................................................................13
6. Appendix ..............................................................................................................................14
6.1 Reference List.................................................................................................................14
6.2 Digrams ..........................................................................................................................15
SayedQasim Alsharkhat 201400937

1. Introduction
The aim of this report is to give a background and explanation about information security,
also it is going to analyze some information security sub topics, the meanings and
definitions will be used to discuss Polytechnic Research Hub (PRH) case and risks for the
building. Recommendations and solutions will be provided in the report.

First of all, the first section of this report is going to cover information security definition,
principles and CIA triad. Also, it will focus on the main components of information
technology policies, methods and algorithms.

The next section of this report is going to cover the case study of Polytechnic Research Hub
(PRH), security risk management and awareness will be discussed, level of risk and solutions
in term of policies and controls to be applied.

At the end, the report is going to list some recommendations and conclusion based on the
security risk level to solve the problems, also, Appendix and references will be included at
the end of the report.
SayedQasim Alsharkhat 201400937

2. Define principles of information security

2.1 Information Security Definition
Information security is one of the main aspects to be implemented, especially these days
where almost all of the companies in the world are depending on technology and the
technology features to run the company, as all their work depends on technology there
must be some threats on the company itself, and here comes the work for information
security where the main and basic idea of it is to keep your information safe and secure
from the threats and hackers, in other words, strategies will be implemented to mainly
defend the company from any unauthorized access and protect the company’s data which
become from setting principles, controls and policies for the company itself.

2.2 Information Security Principles and Aims

CIA, which refers to Confidentiality, Integrity and Availability of the
information and data, which basically the principles of information
security depends on, these three components where the security
policies are based on and they are very important for any
information security implementation.

Confidentiality:
By the meaning of the word itself, it will be understood that if you are confident to share the
information with different users or not. Also, it manages the visibility of the data for different
users, this facility is going to depend on the permissions has been set and the level of
visibility of the data, also it works on making sure that only trusted and authorized people are
having access to the data, and this how the company feel confident about the data and ensure
the data confidentiality. One of the ways that companies use, is to access controls, encrypt
data and classify information.

Integrity:
In this principle, the main idea of it is to deal with accuracy of data by keep tracking the
information changes and progress and make sure that the information has not been modified
from one location to another.

Taking backups to restore the corrupted data is one of implementations of this principle,
where access controls and checksum are another way to implement integrity.
SayedQasim Alsharkhat 201400937

Availability:
This last principle mainly deals with maintaining the system software, operating system and
hardware, it makes sure that only authorized users and users who have permission are
manage to access the data, also it confirms that data are available and accessible and ready to
use whenever needed.

Keeping the system updated is one of the ways to implement availability principle, although,
recover plans are important to take regular backups to avoid any problems with losing the
data.

2.3 Policies
Policies are basically information and instruction that have been issued from the management
of the company to the employees and other people connected to the company, these
instructions must be followed to make sure that the company is safe and to solve any issues
and deal with situations, also it helps the employees to make future and present decisions, in
other form, policies are also called business rules.

Information security policies could be different form a company to another, but on the other
hand, there is a general police document that may have some statement and policies that most
of companies apply.
These general policies might include:

1. A description of people who has been affected.

2. Polices from the management department to assets the employees to make some
decisions when required.
3. Providing a statement to demonstrates a purpose of the policy.
4. Provide special conditions that will lead the employees to clearly understand the
policy terms.

Finally, policies can be divided into many areas such as firewall, authentication, access,
human resources, maintenance and accountability.

2.4 Standards and Procedures

Procedures of information security are available to work in with the CIA (Confidentiality,
Integrity and Accessibility) triad functions to make the information access only for
authorized users, maintain modified information the to make sure of the information
accessibility. Also, procedures consist of guiding’s and rules to help in information security
procedures implementation.
SayedQasim Alsharkhat 201400937

2.5 Baselines and Guidelines

the main idea of Baselines and Guidelines is to avoid and prevent any unauthorized access to
the company assets and information. It means by defining all the operating procedures for
different departments and also to maintain the information security. regulations also provided
for the employees to follow the main guidelines.

Guidelines leads the company to provide security system management. For example: guiding
the employees to shut down their computers and locking their office’s door when leaving the
company. to avoid cyber-attacks and threats, keeping the system updated and apply
Anti-virus for the software and firewall.

Keeping the employees aware of all the security rules, methodology and guidelines
employees needs to follow, in case any problem they should reporting it directly.
SayedQasim Alsharkhat 201400937

3. Develop information security policy

3.1 Security risks to Polytechnic Research Hub (PRH)

After analyzing the case, there are many risks that have been detected in Polytechnic
Research Hub (PRH) that affect the operations and security of Polytechnic Research Hub
(PRH). Some of the risks will be listed:

1. There is only 1 security guard in each building to provide physical security.

2. All the visitors with guest passes can move freely around the buildings.
3. Outgoing traffic which originated in the internal network are not blocked by the
firewall.
4. Use of single network internally.
5. Web server is directly connected to the internet.
6. All the users have the access for most of data, whether it’s required for the job or not.
7. Accessing corporate network via VPN (Virtual Private Network).
8. E1 connection is implemented in the company to connect corporate internet.
9. The location of the building is near to the public road and public park and the guest
can freely enter the building and access the research department.

All of these security risks are going to be discussed in details in the next section where is
going to be level of the risk description of each risk by the management strategy.

3.2 Risk Management Strategy

SayedQasim Alsharkhat 201400937

Vulnerability Impact Threat Level

description
Using the VPN to VPN implantation could be complex, and they will Low
have access to need a mentoring expert for the status of the
corporate network connection.

One security guard The company is taking a risk by having only High
for each building one security guard for each building, the
physical protection should be improved to
protect the company data and assets.
The location near The location of the company nearby an open High
by the car parking area, where visitors and guests are allowed to
and the public access freely to the research department, that
road. could represent a threat on the company data.
Outgoing traffic Attackers and hackers may take the chance to Critical
are allowed by the attack the company because of allowing the
firewall outgoing packets which comes from the
internal network.
Users have the In this situation there will be no confidentially in Medium
access to most the company, where users can have access to
data of the information that not connected to his work which
company makes the system vulnerable.
The web server is It is basically means that the company are Critical
directly connected using a public IP address where it is much
to the internet easier for the attacker to attack the system and
the web server.
The use of the E1 Any visitor or employee could connect to the Medium
connection for the company network by connecting to it using the
corporate network internet wire, by that the company’s network is
going to be easily accessible.
Guest can move This a huge risk taken by the company, where Critical
between the anybody of the visitors can access a forbidden
buildings freely room and access the company data and
information.
The use of a It means that there is no backup route High
single network connected, which means that the connection
internally and the flow at risk if one connection fall down,
SayedQasim Alsharkhat 201400937

Also, there are different assets that can be targeted by the attackers and hackers in the
company which are divided into two sections; tangible and intangible assets.

Tangible: it includes the servers such as Database, Emails, Infrastructure, File and
specialized. Also, desktop computers could be attacked and equipment with special
production.

Intangible: the intangible assets for the company are the company information and assets that
could be accessed through the computers, and that can lead to access the storage servers
where are located in the building.

Asset Threat
Programs The possibility of getting hacked.

Desktop Computers Possibility of getting hacked by the attackers.

Information Possibility of losing important information to hackers

Servers Possibility of getting damaged and the risk of unauthorized access

Office Building The research department is nearby a public road and car park
which could cause a potential threat.
Production Equipment Exposure to theft and damage.

Possibility of natural disasters such as floods and damaging the

Manufacturing Buildings equipment.

3.3 Security position

There are some features where the company can use to improve the security which can be
important for company the future, some of the feature are to keep the operating system used
in the company updated during the year and apply anti-virus of the system to avoid threats,
also the company can improve the security by implementing Virtual Private Network.

Furthermore, the company can improve some security features by improving the firewall to
block the outgoing traffics. also, encrypting the messages around the company network could
be a very good security function and make the company security harder to break from the
hackers.
SayedQasim Alsharkhat 201400937

3.4 Developing best practice policy

Firewall Policy
 Outgoing traffics should be blocked by the firewall.
 Filtering the segments and packets by the firewall should be applied on the company
information.

Maintenance Policy
 There should be a monthly backup for the company’s system information.

Access Policy
 The visitors should not be allowed to access some special room such as the server
room pf the company.
 The people who should have access to the server room are only the networking
department employees.

Accountability Policy
 Each employee should be sure to shut down his computer before leaving.
 The company should take security procedures against the employees if they damaged
equipment or breached information.
 The employees should take the responsibly of maintain the information security of the
company.

Authentication Policy
 Each user and employee should have a user name and password to avoid any
unauthorized access.
 Any business partners should have access only for the needed rooms when there is a
work between both companies.
 For accessing the confidential rooms, the company should implement finger print to
avoid unauthorized access.

Acceptable use Policy

 Any employee who causes damage to an equipment should be punished.
 All the employees have to make sure for using the company’s equipment in the
correct form.

Human Resource Policy

 Technicians should be hired in the company to have monthly review of the system
status.
 The company should hire 2 security guards.
 Each guard should take the responsibility of the security for one floor.
SayedQasim Alsharkhat 201400937

3.5 Controls and Solution to risks

All the risks to Polytechnic Research Hub (PRH) have been identified and analyzed,
solutions to avoid the security risks will be listed which will help the company.

 Physical controls: the server room in the company should be locked to avoid any
unauthorized access, also by hiring 2 security gauds where each guard should be
responsible of one floor in each building which will make the buildings safer than
before.

 Networking controls: the company should divide the according to each department in
the company.

 Detective controls: implementing some detectors in the building as implementing

water detectors in the basement to receive an alarm to detect the water leaks such as
flooding in the building manufacture.

 Technical controls: implementing a private network address and network address

translation (NAT), also makes the firewall block the outgoing traffics from the
internal network.

 Preventive controls: providing standing by power supply in case of losing the power
outage.

 Corrective controls: restoring backups if there is a failure in the system and restores
the system to the normal states.

 Security controls: the company should make sure of keeping the system updated.

 Procedural controls: the employees should take the responsibility of the information
technology and collaborate with each other to improve the company’s security.
SayedQasim Alsharkhat 201400937

Risk Solution

The firewall all0owes outgoing Setting a firewall police, filtering and firewall blocking
traffic (Technical controls)

Web server connected directly to Setting a private address (NAT)

internet (Technical controls)

The accessibility to most of the Make the access limited (Authentication policy)
data by the users

The usage of VPN by the business Set limits for both employees and business partners
partners and the employees (Authentication policy)

The visitors can move around the Set fingerprints for the special rooms (Authentication policy)
buildings freely Set an access limits for the visitors (Access policy)
Set locks for all the rooms (Physical controls)

One security guard for both Increase the security by hiring more guards (Human recourses)
buildings Set two guards in one building (Physical controls)

The usage of single network Divide the network around the company departments
(Networking controls)

The location of the research Set fingerprints for access (Authentication policy)
department Set an access limits for the visitors (Access policy)
Set locks for the room (Physical controls)
E1 connection Employees should take the responsibility (Procedural controls)
Set limits for the visitors to access (Access policy)
SayedQasim Alsharkhat 201400937

4.Conclusion and Recommendations

At the end, all the risks of the information security in Polytechnic Research Hub (PRH) have
been identified, policies and controls have been set in orders to solve all the problems and
improve the security.

My recommendations for the company is to follow the controls and policies in orders to solve
all the security problems, especially to use the firewall to block all the outgoing traffics.

Also, the company should be solving the problem of allowing the guests to move freely
around the building which can cause a lot of security issues to the company where access
controls should be implemented in order to solve the authentication issues. On the other hand,
privet addressing should implemented to the company network rather than using the public
network which cause problems from the hackers.

Physical security is very important for the company, where the company should hire more
security guard to improve the physical security of the company, where two guard should take
the responsibility of one building, which will make the thieves operation very difficult.

The company should follow the recommendations, policies and controls in order of safe place
and information, the implementation of the recommendation, policies and controls will lead
the company to bright, safe and future full of success were security is very important for all
the companies around the world.
SayedQasim Alsharkhat 201400937

5.References
Beaver, K. (2015). The Importance of a Security Culture Across the Organization. Security Intelligence.
Retrieved 14 October 2017, from https://securityintelligence.com/the-importance-of-a-security-
culture-across-the-organization/

Brink, D. (2017). A Strategy Map for Security Leaders: People, Processes and Technologies. Security
Intelligence. Retrieved 12 October 2017, from https://securityintelligence.com/a-strategy-map-for-
security-leaders-people-processes-and-technologies/

CIA Triad (Security Triad) - CISSP Training Series. (2017). Youtube.

Edwards, J. (2017). VPN: The Pros and Cons - IT Security. Itsecurity.com. Retrieved 17 October 2017,
from http://www.itsecurity.com/features/vpn-popularity-021108/

Northcutt, S. (2017). Security Controls. Sans.edu. Retrieved 24 October 2017, from

http://www.sans.edu/research/security-laboratory/article/security-controls

Perrin, C. (2008). The CIA Triad - TechRepublic. TechRepublic. Retrieved 17 October 2017, from
http://www.techrepublic.com/blog/it-security/the-cia-triad/

Riechenberg, N. (n.d.). Improving Security via Proper Network Segmentation | SecurityWeek.Com.

Securityweek.com. Retrieved 17 October 2017, from http://www.securityweek.com/improving-
security-proper-network-segmentation

Rouse, M. (2014). What is confidentiality, integrity, and availability (CIA triad)? - Definition from
WhatIs.com. WhatIs.com. Retrieved 14 October 2017, from
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

Rouse, M. (2017). What is information security (infosec)? - Definition from WhatIs.com.

SearchSecurity. Retrieved 12 October 2017, from
http://searchsecurity.techtarget.com/definition/information-security-infosec

Seacord, R. (2011). Top 10 Secure Coding Practices - Secure Coding - CERT Secure Coding Standards.
Securecoding.cert.org. Retrieved 14 October 2017, from
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+secure+coding+Practices

Tokyo Institute,. (2013). Retrieved 19 October 2017, from http://www.elsi.jp/en/for-

employees/docs/Operating-Guidelines-for-Information-Security.pdf

Wood, C. (2005). Information security policies made easy version 10. Houston, TX: InformationShield
SayedQasim Alsharkhat 201400937

6. Appendix
6.1 Reference List
Beaver, K. (2015). The Importance of a Security Culture Across the Organization. Security Intelligence.
Retrieved 14 October 2017, from https://securityintelligence.com/the-importance-of-a-security-
culture-across-the-organization/

Brink, D. (2017). A Strategy Map for Security Leaders: People, Processes and Technologies. Security
Intelligence. Retrieved 12 October 2017, from https://securityintelligence.com/a-strategy-map-for-
security-leaders-people-processes-and-technologies/

CIA Triad (Security Triad) - CISSP Training Series. (2017). Youtube.

Edwards, J. (2017). VPN: The Pros and Cons - IT Security. Itsecurity.com. Retrieved 17 October 2017,
from http://www.itsecurity.com/features/vpn-popularity-021108/

Northcutt, S. (2017). Security Controls. Sans.edu. Retrieved 24 October 2017, from

http://www.sans.edu/research/security-laboratory/article/security-controls

Perrin, C. (2008). The CIA Triad - TechRepublic. TechRepublic. Retrieved 17 October 2017, from
http://www.techrepublic.com/blog/it-security/the-cia-triad/

Riechenberg, N. (n.d.). Improving Security via Proper Network Segmentation | SecurityWeek.Com.

Securityweek.com. Retrieved 17 October 2017, from http://www.securityweek.com/improving-
security-proper-network-segmentation

Rouse, M. (2014). What is confidentiality, integrity, and availability (CIA triad)? - Definition from
WhatIs.com. WhatIs.com. Retrieved 14 October 2017, from
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA

Rouse, M. (2017). What is information security (infosec)? - Definition from WhatIs.com.

SearchSecurity. Retrieved 12 October 2017, from
http://searchsecurity.techtarget.com/definition/information-security-infosec

Seacord, R. (2011). Top 10 Secure Coding Practices - Secure Coding - CERT Secure Coding Standards.
Securecoding.cert.org. Retrieved 14 October 2017, from
https://www.securecoding.cert.org/confluence/display/seccode/Top+10+secure+coding+Practices

Tokyo Institute,. (2013). Retrieved 19 October 2017, from http://www.elsi.jp/en/for-

employees/docs/Operating-Guidelines-for-Information-Security.pdf

Wood, C. (2005). Information security policies made easy version 10. Houston, TX: InformationShield
SayedQasim Alsharkhat 201400937

6.2 Diagrams
Level Description
Low The damage is not very harmful on the business systems. It is not high
priority but it should be discussed
Medium These risks should be solver after the high priority risks, where in this
situation, the attacker would have important information which will help
them during the attack.

High In this moment, the attackers will gain access to the companies’ data and
information, the company should take fast action to solve these risks unless
there are other critical risks.

Critical In this situation, a real effective hazard will have caused by the attacker on
the company, where they will have very sensitive information that will
cause a harmful effect on the company, these kinds of risks where the
company should deal with immediately to solve it.