Team A 1

Running Head: IT540: TEAM A NETWORK PROJECT

IT 540: Team A Network Project

Subha Arunachalam, Josh Barrett,

Sherman Britton, and Tamara Fudge

Prof. Kenneth Flick

Kaplan University

Team A 2

Abstract

This document outlines the network infrastructure and security policy designed by Team A for

Pixel Inc., a small company that renders 3D images and video.

Team A 3

Table of Contents

Security Policy.................................................................................................................................4

Introduction..........................................................................................................................4

Purpose................................................................................................................................4

Organization Business Objectives.......................................................................................5

Roles and responsibilities....................................................................................................6

Security Enforcement..........................................................................................................7

Security Incident Response..................................................................................................8

Agreements with other Organizations Occurrence..............................................................8

Applications Used................................................................................................................9

Technical Security.............................................................................................................10

Identification of Sensitive Information..............................................................................11

Auditing Requirements......................................................................................................12

Business Continuity Plan...................................................................................................13

Backup and Recovery Plan................................................................................................13

Physical Security..............................................................................................................14

Appendix: The Network....................................................................................................15

References......................................................................................................................................17

Appendix: Division of Work.........................................................................................................20

Team A 4

IT540: Team A Network Project

Security Policy

Introduction

Pixel Inc. affirms a strong belief in information security. Though we are a small

organization our customer and business partners are international. A key element to our business

success is the flow and storage of information. Pixel has a large amount of information that flow

internally as well as external. A major part of this information travels electronically via local area

networking and the World Wide Web. Information is store in various ways including physical

filings and electronic storage. There is a substantial amount of financial investment in

network/computer hardware and various software platforms. Our employees, business partners

and clients all have varied degrees of electronic access to information on Pixel’s network.

Adverse management of this information can impacts the life, reputation and legal accountability

of the company, client’s, business partners and its associates (Buchanan, 2010).

Purpose

This policy is intended to take a common sense approach in outlining the methods,

procedures and tasks deemed necessary in the protection of information that is handled and

managed by this organization. This policy will give instructions on what measures to proactively

take to mitigate the risk of information loss, corruption, unauthorized disclosure, misuse, malice

attacks and other security breaches that could possibly disrupt or cripple the business (Buchanan,

2010). This would include but limited to addressing issues with:

Team A 5

Email Security

Network security

Proprietary equipment treatment

Anti- virus / anti-spyware solutions

Intrusion detection

File handling and classification

Password protection

Sever configuration

Backups

Employee Communications

Physical security

Reporting Structure

This policy shall serve as a living or dynamic document that may change as the need

arise. It should not only be taken as a set of rules but a document to create an awareness of

security being part of the job.

Organization Business Objectives

Pixel is a multimedia company where it profitability depends on the efficient delivery of

products and services to a worldwide customer. Moving the product requires the use of an

effective LAN, high speed internet and the need for confidentiality. Data information that

consists of e-mails, multi-media and general files are in a constant flow. Internal and external

flows of information are the life blood of the company. Information technology will continue to

play a major role in helping the company expand into the future. This company does not

Team A 6

subscribe to the “set it and forget it” attitude (PCIS Boon Box, 2009). So constant attention is

paid to how information technology can be better utilized and safe guarded to increase market

share.

Roles and responsibilities

All employees, contractors, vendors and staff will have the obligation to protect the

information, equipment, assets systems and infrastructure of the company. This would also

include the respect and protection of information of third party organization and individuals.

All employees will be responsible reporting any suspected breaches, incidence and

security short fall / potential short falls immediately to the reporting manager who will report it

to the security officer (See security Incidence response section).

All managerial and supervisory staff is responsible for promoting best practices

consistent with the standards set forth by the security officer

The Security Officer (SO) will report directly to the CEO and will have the support of the

CEO in implementing and enforcement of the Security Policy.

The Security Officer, managerial and supervisory staff will work in concert with each

other to assure that all employees are kept informed, trained, and updated on security policy as

they are considered dynamic.

The SO will be responsible for approvals, changes and review of access rights of each

employee with the assistance of the managerial staff.

The SO has ultimate responsibility for ensuring the information is adequately protected.

That includes risk analysis, execution of the security measures, updating /upgrading, and doing

Team A 7

the necessary auditing. The SO is expected to achieve the security objectives through standards

and best practice.

The SO will manage the people, time, equipment, software, education, access / access

authorization, and access to external sources of information and knowledge. This may require

delegation to the managerial staff and outsourcing (Murphy, 2010).

Additionally, Company-owned equipment, including but not limited to hardware such as

computers and peripherals, are for company business only, and not for personal use. The

Security Officer reports to the company CEO and will file logs, weekly reports, update notices,

and incident reports.

Security Enforcement

The SO will work with the managerial staff on enforcing the policy.

Compliance with the policy is a condition of employment.

All employees will be required to sign an acknowledgement of compliance to the policy

each year or when major impacting changes occur with the policy.

Failure to comply with the security policy may result in disciplinary action up to and

including dismissal of the violator. The responsible manager in charge and the SO will ultimately

determine the guide lines for the degree disciplinary action that is consistent and appropriate to

the situation (Verizon Corporation, 2001).

Additionally, All employees must complete an online course regarding company security

policies and successfully complete an online test to demonstrate their understanding of said

policies.

Team A 8

Security Incident Response

Pixel recognizes that though we strive for one hundred percent absolute security, there

are limitations. It is rare to have a system that is completely secure without having some

unknown vulnerabilities or occurrences. For this reason all employee must make a conscious

effort to report all issues no matter how small pertaining to information security breaches. The

SO and managers will work together to take all reasonable actions to investigate and assure that

business continuity is maintained or restored.

Employees must report incidence of virus, hacker intrusion, data theft, system destruction

or anything that is of detriment to information security. Notify the manager in your reporting

structure. Verbal reports must be followed up with a written incidence report. The SO will verify

the occurrence, take appropriate action for business continuity, assess and /or reduce the impact,

determine the nature of the incident and improve security to prevent future breaches. The

managers will consult with the SO and the legal consultant to determine how information will to

be communicated, to whom and if legal action is in order. The CEO should be notified as well as

the incidence report completed with the remedy (Incident Response Plan, n.d.).

Additionally, The Security Officer will file full incident reports to the office of the CEO

within 24 hours of both incidents and resolutions.

Agreements with other Organizations Occurrence

Pixel success sometime depends on the sharing of information with its affiliates and

business partners. In accordance with federal and state laws and regulations joint partnerships

may be entered into with the approval of the CEO and controlling managers. Proprietary

Network Information will be restricted to that which is vital to the areas under consideration will

Team A 9

be shared with joint partners with respect to products and services permitted by laws, regulations

and disclosure / nondisclosure agreements with third parties and the security policy.

The SO will be responsible for making sure the information required for any inter-

organization occurrence is classified and the proper measures are taken to partitioned access to

the network for these transactions (Verizon Corporation, 2001).

Applications Used

Various applications will be used in the network and are listed below along with security

measures.

Server applications. Microsoft Exchange Server 2010 (for the web) and Microsoft SQL

Server Enterprise (for the database) provides key management, Unicode data compression, and

transparent data encryption (SQL Server Enterprise, n.d.) and will allow for the handling of DNS

and DHCP, or Domain Name System and Dynamic Host Configuration Protocol, respectively

(Morimoto, Noel, Amaris, Abbate, & Weinhardt, 2010).

Additionally, Servers and desktop computers must run HIDS (Host-based Intrusion

Detection Software). This will enable integrity testing, alerts, log analysis, may be centrally

managed, and is designed to prevent attacks on the system (Intrusion Detection FAQ: What is a

Host Intrusion Detection System?, n.d.).

Operating Systems. The following operating systems for company computers have been

secured and include built-in file and print sharing: Mac OS X Lion for Apple Mac Pro desktops,

upgraded from Leopard; and Windows 7 for PCs, upgraded from Vista.

Productivity software. Microsoft Office Professional 2010 is employed, with Word,

Excel, PowerPoint, OneNote, Outlook (for email), Publisher, and Access (Compare Editions,

Team A 10

n.d.). Security features are already present in the Office suite, including alerts for ActiveX

controls, Macros, and other add-ins that may pose threats. Documents sent via the Internet are

placed in Protected View until the user determines the suitability of the document for editing and

use (Security in Microsoft Office 2010, n.d.). Security measures for Outlook email will include

password protection and aging.

Additionally, All PCs running Windows 7 must be protected by anti-virus, anti-malware,

and anti-spyware programs.

Render Farm Software. High-performing 64-bit Autodesk Maya 3D animation

software (Autodesk Maya, n.d.) will be used to begin building the company's own render farm.

Scenes will be stored and worked on remotely to avoid data loss and broken internal links

(Carroll, 2010).

Additional software. Browsers for Internet use may include Safari, Chrome, Firefox,

and/or Internet Explorer; all are free downloads. To protect against viruses and spyware, avast!

Security for Business is to be included on all desktops and laptops prior to employee use. In

addition, avast! contains file server, email server, end-point, and other protections, anti-spam,

and a firewall (avast! Security for Business, n.d.).

Technical Security

In addition to the items listed above in Applications, the following security measures

must be followed:

Password protection is required on all company equipment and network resources.

Passwords must be a minimum of 10 characters in length, and include at least three of the

following: capital letter, small case letter, number, and special character.

Team A 11

Passwords for all servers and desktop computers must be changed every 90 days. Due to

the rather small size of the company, this will be implemented with a Decentralized

Policy and Centralized Enforcement for easiest handling (Password Aging, n.d.).

Email will be secured by S/MIME, digital signatures for verification of senders, and

encryption so that attachments cannot be read by intruders (Weiss, 2010).

The email server will be set to reject messages that are not properly addressed by using a

550 code (Klensin, 2001).

FTP will be client-initiated, which facilitates connection handling at the firewall.

Encryption of the data connection will prevent one client from viewing files of another

client (Gromek, 2002).

Identification of Sensitive Information

The Information Sensitivity Policy is intended to help employees determine what

information can be disclosed to non-employees, as well as the relative sensitivity of information

that should not be disclosed outside of Organization without proper authorization.

The Sensitivity Guidelines below provides details on how to protect information at

varying sensitivity levels. Use these guidelines as a reference only, as Organization’s

confidential information in each column may necessitate more or less stringent measures of

protection depending upon the circumstances and the nature of the confidential information in

question.

Minimal Sensitivity: General corporate information; some personnel and technical

information and access are for employees, contractors, people with a business need to

know.

Team A 12

More Sensitive: Business, financial, technical, and most personnel information and

access to employees and non-employees with signed non-disclosure agreements who

have a business need to know.

Most Sensitive: Trade secrets & marketing, operational, personnel, financial, source

code, & technical information integral to the success of our company and access only for

those individuals organization’s employees and non-employees designated with approved

access and signed non-disclosure agreements (Audit Security Policy Templates, n.d.).

Auditing Requirements

This policy covers all computer and communication devices owned or operated by the

Organization. This policy also covers any computer and communications device that are present

on the premises, but which may not be owned or operated by the organization.

When requested, and for the purpose of performing an audit, consent to access needed

will be provided to members of Audit team. The organization hereby provides its consent to

allow of Audit team to access its networks and/or firewalls to the extent necessary to allow it to

perform the scans authorized in this agreement. Organization shall provide protocols,

addressing information, and network connections sufficient for Audit team to utilize the software

to perform network scanning.

This access may include:

User level and/or system level access to any computing or communications device

Access to information electronic, hardcopy, etc., and that may be produced, transmitted

or stored on organization’s equipment or premises

Access to work areas like labs, offices, cubicles, storage areas.

Team A 13

Access to interactively monitor and log traffic on organization’s networks (Audit

Security Policy Templates, n.d.).

Business Continuity Plan

Business Continuity Plan refers to the activities required to keep your organization

running during a period of displacement or interruption of normal operation. Business continuity

plan is a collection of procedures and information which is developed, compiled and maintained

in readiness for use in event of an emergency or disaster.

A business continuity plan is required as disaster might occur anytime and so the

organization needs to be prepared. This plan should cover the occurrence of the following

events:

Equipment failure

Disruption of power supply or telecommunication

Application failure or corruption of database

Human error, sabotage or strike (Introduction to Business Continuity Planning, 2002).

Backup and Recovery Plan

This policy is designed to protect data in the organization to be sure it is not lost and can

be recovered in the event of an equipment failure, intentional destruction of data, or disaster.

This policy applies to all equipment and data owned and operated by the organization.

Organizations must establish procedures and policies for backup and recovery of data.

Backups should be routinely monitored to ensure that recovery procedures are functional.

Detailed documentation of equipment and software necessary to restore organization’s resources

Team A 14

should be created. The equipment necessary to restore systems and data should be documented

improving the time and quality of purchasing decisions in the event of recovery needs. Backup

media and documentation should be stored both on and off-site at an organization’s approved

location. Given below are the definitions:

1. Backup - The saving of files onto magnetic tape or other offline mass storage media for

the purpose of preventing loss of data in the event of equipment failure or destruction.

2. Archive - The saving of old or unused files onto magnetic tape or other offline mass

storage media for the purpose of releasing on-line storage room.

3. Restore - The process of bringing off line storage data back from the offline media and

putting it on an online storage system such as a file server (Backup Policy, n.d.).

Additionally: To prevent catastrophic loss, offsite backup is required at a location with

access available to the Security Officer and two other designated full-time employees at any time

of day, seven days of the week, all year.

Additionally: Complete documentation of all server configurations must be maintained

by the Security Officer and made available in the event of a catastrophe to facilitate rebuilding

the system.

Physical Security

Physical security controls limits physical access to computer resources and protects them

from intentional or unintentional loss or impairment. Physical Security are divided as a)

Preventive controls attempt to avoid the happening of unwanted events and b) Detective controls

attempt to identify unwanted events after they have occurred. Preventive physical security

controls generally includes

Team A 15

Manual door or cipher key locks.

Magnetic door locks that require the use of electronic keycards

Biometric authentication

Security guards

Photo ID’s

Entry logs

Logs and authorization for removal and return of tapes and other storage

media to the library

Perimeter fences around sensitive buildings

Computer terminal locks (Nilsen, 2002).

Appendix: The Network

We have has designed a state of the art network for Pixel Designs. Cisco switches

provide superior connectivity and manageability services. Cisco blade servers provide ultimate

performance. Fiber is support for the entire network which will offer high-speed connectivity and

performance. Soho offers the best firewalls; two are installed for redundancy purposes.

The core switches will be two Cisco Nexus 5548 switches. The Cisco Nexus 5548 switch

offers Fibre Channel over Ethernet to reduce network complexity in the data center.

Connectivity options available are Gigabit, 10 Gigabit and FCoE (Cisco Nexus 5548P Switch,

n.d.). These switches will provide the flexibility needed by the company now and allow future

growth. Cisco Catalyst 2960 switches will provide connectivity to the client computers; each

switch has 48 ports for a total of 192 ports between the two closets. These switches support full

Team A 16

Power over Ethernet and a wide range of management services (Cisco Catalyst 2960 Series

Switches, n.d.).

Messaging is handled by the Atos messaging as a service appliance. The DS-3210 offers

top of the line messaging. This appliance will improve productivity and availability while

reducing IT costs (Atos Messaging as a Service, 2011).

The following figure shows the network.

Figure 1.The Network.

Team A 17

References

Atos Messaging as a Service. (2011). Retrieved December 15, 2011, from NetApp:

http://media.netapp.com/documents/DS-3210_0811_Atos_Messaging_as_a_Service.pdf

Audit Security Policy Templates. (n.d.). Retrieved December 14, 2011, from SANS Institute:

http://www.sans.org/security-resources/policies/audit.php

Autodesk Maya. (n.d.). Retrieved December 15, 2011, from Autodesk:

http://usa.autodesk.com/maya/features/

avast! Security for Business. (n.d.). Retrieved December 15, 2011, from avast!:

http://www.avast.com/en-us/business

Backup Policy. (n.d.). Retrieved December 14, 2011, from CompTechDoc:

http://www.comptechdoc.org/independent/security/policies/backup-policy.html

Buchanan, W. (2010, April 27). Information Security Best Practices for Small Businesses Part 1.

Retrieved December 15, 2011, from YouTube: http://www.youtube.com/watch?

v=L8Fg8M1vRUc

Carroll, J. K. (2010, March 19). Render Node Considerations. Retrieved December 15, 2011,

from Tom's Hardware: http://www.tomshardware.com/reviews/render-farm-node,2340-

4.html

Cisco Catalyst 2960 Series Switches. (n.d.). Retrieved December 15, 2011, from Cisco:

http://www.cisco.com/en/US/products/ps6406/index.html

Cisco Nexus 5548P Switch. (n.d.). Retrieved December 15, 2011, from Cisco:

http://www.cisco.com/en/US/products/ps11215/index.html

Team A 18

Compare Editions. (n.d.). Retrieved December 15, 2011, from Microsoft Store:

http://www.microsoftstore.com/store/msstore/html/pbPage.Office_Compare_Editions

Gromek, M. (2002, February 12). Securing FTP Authentication. Retrieved December 15, 2011,

from SANS Institute InfoSec Reading Room:

http://www.sans.org/reading_room/whitepapers/protocols/securing-ftp-

authentication_374

Incident Response Plan. (n.d.). Retrieved December 15, 2011, from CompTechDoc:

http://www.comptechdoc.org/independent/security/policies/incident-response-plan.html

Introduction to Business Continuity Planning. (2002). Retrieved December 14, 2011, from

SANS Institute InfoSec Reading Room:

http://www.sans.org/reading_room/whitepapers/recovery/introduction-business-

continuity-planning_559

Intrusion Detection FAQ: What is a Host Intrusion Detection System? (n.d.). Retrieved

December 15, 2011, from SANS Institute Security: http://www.sans.org/security-

resources/idfaq/what_is_hips.php

Klensin, J. e. (2001, April). Simple Mail Transfer Protocol. Retrieved December 15, 2011, from

IETF Network Working Group RFC 2821: http://www.ietf.org/rfc/rfc2821.txt

Morimoto, R., Noel, M., Amaris, C., Abbate, A., & Weinhardt, M. (2010). Microsoft Exchange

Server 2010 Unleashed. Pearson Education.

Murphy, M. (2010). Information Security Policy Statement. Retrieved December 10, 2011, from

University of Oxford: Childhood Cancer Research Group:

http://www.ccrg.ox.ac.uk/datasets/policystatement.htm

Team A 19

Nilsen, O. (2002, March 17). Protection of Information Assets. Retrieved December 17, 2011,

from SANS InfoSec Reading Room:

http://www.sans.org/reading_room/whitepapers/basics/protection-information-assets_594

Password Aging. (n.d.). Retrieved December 15, 2011, from Columbia University: UnixDev:

http://www.columbia.edu/acis/sy/unixdev/policy/password-aging.html

PCIS Boon Box. (2009, July 25). PCI DSS and Data Security Compliance p1. Retrieved

December 15, 2011, from YouTube: http://www.youtube.com/watch?v=qOwwJD17IH0

Security in Microsoft Office 2010. (n.d.). Retrieved December 15, 2011, from Microsoft Safety

& Security Center: http://www.microsoft.com/security/pc-security/office2010.aspx

SQL Server Enterprise. (n.d.). Retrieved December 15, 2011, from Microsoft Store:

http://www.microsoftstore.com/store/msstore/en_US/pd/productID.221628500/

categoryID.57613600/list.true

Verizon Corporation. (2001). Connecting Through Integrity. East Rutherford, New Jersey.

Weiss, A. (2010, October 27). Simple Steps to Securing Email with S/MIME . Retrieved

December 15, 2011, from eSecurity Planet:

http://www.esecurityplanet.com/views/article.php/3910181/Simple-Steps-to-Securing-

Email-with-SMIME.htm

Team A 20

Appendix: Division of Work

The following describes the fair division of work as we initially agreed upon, and as

evidenced in this paper:

Subha Arunachalam

Identification of Sensitive Information Auditing Requirements Business Continuity Plan Backup and Recovery Plan Physical Security

Josh Barrett

Network Description Network Diagram, created with Microsoft Visio

Sherman Britton

Introduction Purpose Organization Business Objectives Roles and Responsibilities Security Enforcement Security Incident Response Agreements with Other Organizations

Tamara Fudge

Applications Used Technical Security Incorporation of "Wee" items into sections written by others (noted by "Additionally") Compilation of all team members' work, APA compliance with in-text citations,

reference entries, and general document formatting