




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Network Security Final Assignment
Typology: Assignments
1 / 178
This page cannot be seen from the preview
Don't miss anything!





























































































ISMT COLLEGE THIRD SEMESTER | TINKUNE,GAIRIGAU
Introduction The term network security is a complex and a vast course which seems like it is only dealing with maintaining security in any organization or network created but it is much more than that. Network security is the study of networks and to decipher how it works in order to create balance in the amount of resources that can be accessed by different clients. “Network security is a complicated subject, historically only tackled by well-trained and experienced experts. However, as more and more people become wired, an increasing number of people need to understand the basics of security in a networked world.” According to Curtin and his work on network security giving an introduction to network security, he mentions how the need of basic understanding for network security is needed in this world. While most of the files and information are being digitalized, it is with utter importance that we must face the truth of that information being vulnerable and susceptible to threats, hijacking or being stolen. I mean hijacking as the process of being able to re-route or disrupt the path of certain network packets in the internet highway to a different path. The “wired” as described by Curtin (1997) is the phrase he used to describe people getting connected to the internet. (InterHack, n.d) As per the system requirement of Commercial Banking Enterprise, which has its own IT department to manage the technological infrastructure, we need to be able to manage, support and implement a secure network infrastructure for banks LAN/WAN environment with the advances in technology and internet, many users are becoming aware of different resources that are available to use in which can help them exploit various websites and servers. In recent example, website Twitch.tv which is an online streaming site was attacked by DdoS which in turn made the website unable to use for two days. DdoS is better known as Destructive Denial of Service attacks. Similarly there are countless new exploits and methods being born and already present in the internet ready to use to be able to disrupt online resources. This is what we must be prepared for in terms of securing the network. Since both of the branch offices needs to be connected through a VPN server and also be a part of the domain server, it is possible that the network is already secured using this method. An private login method which uses its own personal password and login method to connect to the head office is legit in making the network secured already. But we must prepare and enable different types of strategies provided by the windows server itself to make the network trustworthy.
Most importantly, we need to audit the current network security of the bank in order to identify threats and risk. Here I am, auditing bank network security as per ISO standard. Evaluating Current System Control ID Control Name Status Evidences/Justification Recommendation Yes No Partial 5.1.1 Information security policy document There exists an information security policy, which is approved by the management, published and communicated as suitable to all employees and the policy states management commitment and sets out the organizational approach to managing information security. 5.1.2 Review of Informational Security Policy There are many information security policy review procedures exist and they include required for the management review but the results of the management review are not taken into account. The information security policy should be reviewed at planned intervals, and if significant changes occur to ensure its continuing suitability, adequacy and effectiveness and the Information
6.1.3 Allocation of information security responsibilities There is responsibilities for the protection of individual assets, and for carrying out specific security processes, were clearly identified and defined. 6.1.4 Authorization process for information processing facilities The management authorization process is defined and implemented for any new information processing facility within the organization. 6.1.5 The organization’s need for Confidentiality or Non- Disclosure Agreement (NDA) for protection of information is clearly defined and regularly reviewed. But this does not address the requirement to protect the confidential information using legal enforceable terms
6.1.6 Contact with authorities There exists a procedure that describes when, and by whom: relevant authorities such as Law enforcement, fire department etc., should be contacted, and how the incident should be reported. 6.1.7 Contact with special interest groups The appropriate contacts with special interest groups or other specialist security forums, and professional associations are maintained. 6.1.8 Independent review of information security The organization is not managing information security, and its implementation, is not reviewed independently at planned intervals, or when major changes to security implementation occur. The organization should manage information security, and its implementation, and should review independently at planned intervals, or when major changes to security implementation occur.
requirements. 7.1.1 Inventory of assets All assets are identified and an inventory or register is maintained with all the important assets. 7.1.2 Ownership of assets Each asset identified has an owner, a defined and agreed- upon security classification, and access restrictions that are periodically reviewed. 7.1.3 Acceptable use of assets The regulations for acceptable use of information and assets associated with an information processing facility were identified, documented and implemented. 7.2.1 Classification guidelines The information is classified in terms of its value, legal
requirements, sensitivity and criticality to the organization. 7.2.2 Information labelling and handling An appropriate set of procedures are defined for information labelling and handling, in accordance with the classification scheme adopted by the organization. 8.1.1 Roles and responsibilities Employee security roles and responsibilities, contractors and third party users were defined and documented in accordance with the organization’s information security policy but role and responsibility are not clearly defined. The roles and responsibilities should be defined and clearly communicated to job candidates during the pre- employment process
8.2.1 Management responsibilities The management has made compulsory to employees, contractors and third party users to apply security in accordance with the established policies and procedures of the organization. 8.2.2 Information security awareness, education and training No any training has been held since it 5 year. All employees in the organization, and where relevant, contractors and third party users, should receive appropriate security awareness training and regular updates in organizational policies and procedures as it pertains to their job function. 8.2.3 Disciplinary process There is a formal disciplinary process for the employees who have committed a security breach.
8.3.1 Termination responsibilities There is a responsibilities for performing employment termination, or change of employment, are clearly defined and assigned. 8.3.2 Return of assets There is a process that ensures all employees, contractors and third party users surrender all of the organization’s assets in their possession upon termination of their employment, contract or agreement. 8.3.3 Removal of access rights There is access rights of all employees, contractors and third party users, to information and information processing facilities, will be removed upon termination of their employment, contract or agreement, or will be adjusted upon change.
The building where the company is located is prone to earthquake as it is too old. 9.1.5 Working in Secure Areas This area is physical protection and there is guidelines, for working in secure areas is designed and implemented. 9.1.6 Public access delivery and loading areas The delivery, loading, and other areas where unauthorized persons may enter the premises are controlled, and information processing facilities are isolated, to avoid unauthorized access 9.2.1 Equipment siting protection The equipment are protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access
9.2.2 Supporting utilities The equipment are protected from power failures and other disruptions caused by failures in supporting utilities. The permanence of power supplies, such as a multiple feed, an Uninterruptible Power Supply (ups), a backup generator, etc. are being utilized. 9.2.3 Cabling Security The power and telecommunications cable, carrying data or supporting information services, is protected from interception or damage. There are any additional security controls in place for sensitive or critical information