Data Analysis
Introduction
The Scope section of these articles explain the outline of these articles with a primary focus of security in the corporate infrastructure. The majority of companies of any significant size practice what this research article has found. Internal Controls and Auditing inside the infrastructure of the company along with the Controls in place for the Information Technology Department are reviewed in this article based on the four companies outlined in previous articles.
Implementation Methodology Used at Neill, Taylor, Allen Companies and a higher education facility
Senior management at all of the companies under consideration constantly looks at the need
to protect sensitive data. During the initial stages of protection, each of these companies followed the same pattern of implementing Computer and Network Security.
Each of these companies developed policy and procedures to guide and deliver procedures for all technology professionals at all levels within the companies. With these members of the IT department looking at securing the data within the company, this became the starting point and first layer of securing information. The development of these policy and procedures created a foundation for the practices delivered by the companies. These companies developed the policy and procedures to guide their information technology professionals as a direct entry in the company wide policy and procedures. The Allen Taylor and Neill companies along with a higher education facility maintain an active and dynamic set of policy and procedures that can be changed on the “fly”. Each of these changes are passed through a former form of communication in order to get a level and uniform understanding of the policy and procedures that are put in place.
The following steps are from integral studies of these companies:-Policy and Procedures-Committees and Subcommittees used to monitor changes, constant updates and reviews by all members of the information technology team.-Risk Assessment-Value of product and client data, cost of breach. This assessment can give the company an idea of the risk of a breach.-Inventory-Inventory of software and hardware. Inventory allows for control of products and control of sensitive information.-Needs Assessment-Users and applications “Need to Know Basis Only”. This form of assessment allows for securing data at different levels based on rank or a hierarchal structure in the company.-Structure-Physical security and ideal topologies to meet performance needs and environmental controls. -Levels of Protection-Workstation-Antivirus software, operating systems updates and patches, application updates, VPN to servers, strong password protection-Private Servers-Antivirus software, operating systems updates and patches, application updates, VPN from workstations, Kerberos security, tokens and certificates, strong password protection-SNMP nodes-Password Protected SNMP manageable devices-Wireless Access Points-Wireless Encryption Protocols (8 bit minimum)-MAC filtering-Routers-Acceptable ports and sitesFirewalls-Acceptable ports and sitesIDS Systems-Backend for internal and external NIC cards used to monitor all traffic within the organization-Network Address Translation Needs-Public to Private ips for internal networks with few public ip addresses-Public Servers-Located in DMZ areas all patches updates and only necessary ports open-Training programs-New software-New hardware
The methodology used by the Allen, Neill and Taylor companies along with a higher education facility also includes consideration of company growth and changes in security needs.
Policy and procedures provide the guidance for the IT department to use as a guideline in their day to day operations. These policies also supply the personnel from the IT department with directives for what to do in a breech and disaster recover and planning for catastrophic events.
Risk assessment provides the protection vs. breech cost. Risk assessment looks at the hardware, software, physical security and other areas defined as a potential risk. It is this assessment that can act as a guide for the CIO when protecting the company’s network infrastructure.
CIOs also have to look at the ever changing inventory of wireless devices, tablet PCs, PDAs, servers, workstations, and other nodes on the company’s network. The importance of inventory is often overlooked by junior Information Technology professionals. These personnel often overlook this important topic because of the changing out of antiquated equipment with new equipment. Often newer nodes placed on a network are not hardened. This negligent act is usually because of the “rush” to replace the old node and to get the newer node operational to save money and time.
The needs assessment found above is based on personnel security and the relevance behind restricting personnel from specific applications or areas within the corporate infrastructure .
The physical structure of the network layout becomes important to the security analyst for several reasons. Wireless devices too close to outside walls can broadcast beyond the companies physical boundaries. Location of the server room may leave it in a location that physical security becomes an issue. Switches or hubs in areas located in any business can leave the network infrastructure vulnerable to internal security violations. Looking at these vulnerabilities, it is easy to understand how structure of a network can become an important issue with companies.
Companies today need to look at the level of protection needed for different nodes on the company’s network. Because servers may contact the outside world, these nodes may need to be harden more than a typical desktop. Although all nodes need to be protected, it becomes an issue of where in the network infrastructure the node is placed.
Simple Network Management Protocol is used to manage many devices on networks. Some of these devices include items such as routers, switches, wireless devices and printers. With this protocol in place, unwary companies could leave this management tool open and have their network reprogrammed by a malicious individual.
The gateway to most networks to the internet is via a router. Misconfigured routers can lead to intrusion to a company’s network.Firewalls are the bodyguard of most networks. Properly configured firewalls can protect corporate infrastructures. Firewalls must be dynamic enough to change with the ever changing world of security. Corporations need to look at the individual port numbers often used by viruses or hackers to gain access to internal networks.
Leading the FBI’s security survey, antivirus infiltration in a corporation leads the survey in monies lost by corporations. Security covers a broad spectrum of areas and antivirus protection is a form of protection security. Corporations who do not deploy updated antivirus definitions, could open up Trojans or viruses that open ports or send documents to malicious individuals. Deployment often relies on Enterprise level
software to protect the entire local area network.
In order for security analyst to monitor possible network violations, many companies have put in intrusion detection systems to monitor network traffic and use alarms and logs to alert appropriate personnel of possible intrusion.
Companies without these items in place will not survive.