1. Traditionally, managing IT security and physical security have been treated as two separate domains. Why should they be integrated?

Advo’s, Inc. is the largest service provider of the direct mail advertising services in the United States and it has the largest commercial user of United States Postal Service standard mail.

If we talk about the security of the Advo’s company environment, it’s must that we should have to focus on Physical and Information security assets because the requirement of the company’s to integrate both of them. Though, physical security emphases on the protection of physical assets, the personnel and the facility structures i.e. this involves managing the flow of individuals and assets, etc. where IT security focuses on the protection of information resources primarily known as computer and telephone systems and their data networks too. This involves managing the flow of information into, out of and within the facilities of IT systems, which includes human access to information system and their networks. So, it’s very clear that these are two separate domains. It’s true that many of the physical and the IT security processes and or procedures must be integrated at the technology level where is no any technology that defines the integration. The business processes and procedures define it and the technology implements it. That's why, first step in integrating the physical and the IT security is an examination of security-related business requirements for the physical and IT security processes which support them. The integration of the business processes will determine more effectively with the integration of the physical security and the IT technology.

2. Why is top management's awareness and support essential for establishing and maintaining security?

It’s basic need for an organization, essentially a support from high level persons like CIO (Chief information officer), CFO (chief finance officer), CEO (chief executive officer), etc. because they are only the people who have the authority to take right decisions accordingly and or can take business aspects for the company to expected level of growth. Where company’s CIO can take the decisions of IT strategies and securities within the organization and can provide the effective solution to the problem.

3. Why should those responsible for leading the organization's security efforts be placed high in the organizational chart?

If there is less or no security measures then there is no one way to become a success and these security includes; physical, informational, personal employees, organizational level, projects threats, etc. all of them are essential measures and should be consider as high priority. Hence, the people involving in those concerns should have the high position within the organization because every organization don’t want to see any unexpected risks at the end level.

4. The first decision made by Advo's top management in the aftermath of the 9/11 attacks was to improve physical security. Why was attention focused on this particular aspect of security?

In an attempt of 9/11 attack for scaring the public with a looming cyber-attack on US infrastructure, US Homeland Security Secretary is once again pushed Congress to pass legislation allowing the government to have greater control over these threats.

In general, this decision needs to be taken before the attack but government was not aware of that type of physical attack could be possible and it made hazardous situation to the people of the country. So, it had been became a need to control over them in coming future and Advo's decided to take an initiation towards this concern and made few general security rules for physical security of the people of the country. Moreover, The White House senior members are also working on an executive order that would encourage companies to meet government cyber-security standards.

5. What are the advantages and disadvantages of using consultants and third-party organizations to provide security-related services? What reasons would a company have for hiring consultants to provide guidance for its security efforts?

There are numerous advantages by using the consultants and third-party organization to provide security-related services.

One advantage for Advo’s, using such services as it would allow them to save their money by having a controllable expense since their contract and would be a determined price for an already set amount of time. Security assist from third-party organizations and consultants normally would bid for a contract to work for Advo’s and there bidding process would allow the company to decide how much amount they are willing to spend for their security related services. Also the company will not be responsible for providing the services like; health insurance, workers compensation and insurance or any other expenditures to those employees as it would all be handle by this security company.

Another advantage for Advo’s is that they can be more productive. The company would not have to focus on any security related aspect such as hiring, firing and or training which would allow them to use their personnel more effectively to accomplish more but ultimately what trying to explain is that, Advo’s would not have to hire more employees’ and can use their current ones to oversee any aspect related to the security services. This would definitely free them up to essence on their other aspect of the business.

There are numerous disadvantages for using consultants and third-party organization to provide security services. One disadvantage for Advo’s is, using such services will be that they don’t direct control of the personnel used by the security provider. Advo’s has no say, whose should be hired and or fired from the company nor say on what kind of the people can be hired

by security company. Therefore, I can say that before agreed to contract with a security provider, Advo’s would examine all of the odds and their ends of the company which include their hiring.

6. Why is it a good security practice to have few visitors in a reception area?

Any visitor first meet at reception and first need to come on reception before moving inside the organization so first they after require to perform few required formalities. Few policies for visitors to the government department as well as company premises as defined below:

a) All Visitors met by their employee sponsor at the time of Check-In and sign two copies of “Visitor Agreement”.

b) They cannot request information which does not belong to their visit or the work being performed confidential.

c) All Visitors must arrive at a designated Check-In entrance only. d) Visitors requiring access to areas controlled by swipe card access locks should arrange

temporary cards with their limited time.e) Visitors are not permitted to take photographs inside of company’s premises, unless

discussed specifically with sponsoring employees.

7. Identify the security risks involved in allowing networked systems to be used by large numbers of temporary employees who do not need to log in. What password XXXXX should be implemented for stronger user authentication?

For controlling the security threats of the network, there is network security guidelines for new or temporary users as mentioned below:

a) User are responsible for exercising good judgment regarding the reasonableness of personal use of network.

b) All equipment should be secured with a password-protected screensaver with the automatic activation feature.

c) Company’s network administration desires to provide a reasonable level of privacy and users must be aware that the data they create on the corporate systems remains the property of company.

d) Passwords should be secure and do not share accounts.e) Copying unauthorized, of copyrighted material should have an active license which

strictly prohibited.

Password should be strong for all the employees by providing the encryption terminology and should not share at all. And in general,

It should have at least one special character with alphanumeric characters. It should be case-sensitive. Encrypted password should be send over the network when login to their account.

8. How far away should a backup site be located from company headquarters? What factors should be considered in determining the location of a backup site?

Planning the location of the back and recovery site is an integral part of the overall process of disaster recovery planning and business continuity planning. In today's world where volatile business and the political climate, where many organizations are re-examining the importance which location plays in developing a recovery site. Although there remains no single overriding standard and both federal government and the private industry have been developed new guidelines that can be helpful in deciding the optimal distance between data center and its recovery or back site which is based on the various studies conducted over the past years and it is also clear that the placement of the recovery site too far away from the main data center could be just devastating if placing it too close. Hence it depends upon the business requirement so by taking care of all the factors, it should be decide to locate it too far or too close.

9. Advo’s believes that frequent audits help to ingrain a security mindset among the company's employees. What other benefits are there to performing frequent security audits?

If there is frequent audits in Advo’s would be take place for the security concerns then there is a less chance of any attack which can caused a hazardous situation to the company. Few benefits of frequent audits as described below:

It can assist for improving the process of security for both physical as well as information security respectively.

Continuous monitoring also helps to prevent any future attacks as earlier were 9/11 attack.

Security workers would work effectively because of timely inspection of their department.

Concerns are measured and can take decisions by the high-level authorities which include people like; CIO, CSO, etc.

Employees or workers can feel that they are safe and company’s has been taking initiatives and monitoring each and every activity.

10. Research the role of Software House in the Open Security Exchange (OSE). What is the purpose of the OSE?

The purpose of the Open Security Exchange is to combine disparate technologies which form today's security infrastructures to optimize security investments and increases the operational efficiency. Effective security management will result including; accurate detection of any threats and attacks, consistent definition and enforcement towards the security policies and used to enhance the organizational collaboration.

The purpose of effective security management by OSE:

Support all of the technologies which comprise an organization’s security infrastructure. For example: OSE promotes the integration of physical and IT security.

Enables organizations in the private and public sectors to maximize the organizational security while optimizing efficiency. The OSE also promotes realistic specifications to address all types of security issues or challenges.

Allows organizations to adopt the best practice of security policies and procedures and also helps reduce the occurrence of organizational security incidents and contributes to consumer confidence by using online transactions and ecommerce services.