Consider the following scenario: You work for a network security firm as a professional security engineer. You are asked to provide a security and testing assessment document for one of the firm’s customers. The customer is a local fulfillment company that deals with confidential customer information. The fulfillment company has two locations: a headquarters office downtown and a branch office in another city.
The fulfillment company has the following equipment:
-12 Windows XP and 25 Windows 7 workstations connected to a Windows Server 2008 domain controller and file server (The Windows XP personal computers [PCs] are mostly used in the warehouse connected to high-speed printers for employees to spool and print jobs.),
– one Windows Server 2008 R2 RRAS server accessed by home workers after hours,
-one Windows Server 2003 print server,
-one Linux database server running an open source of MySQL,
-one Apache Web server for customers to check status of their jobs/orders online,
-a seven-year-old firewall connecting the headquarters’ network perimeter to a T3 internet line and virtual private network (VPN) connecting to the branch office,
-a 10-year-old firewall in the branch office connecting to the Internet and headquarters via a T1 link,
-15 Windows XP workstations in the branch office connecting to the headquarters office via VPN to the Windows Server 2008 R2 domain controller file and print server.
At the headquarters location, the servers are located in a locked server room that only authorized users can enter. The server room has a four-digit combination lock for security. Both locations have numerous security cameras, including cameras in the computer room.
The network manager has informed you that the fulfillment company has an IT security policy that all employees are required to read and sign when they are hired by the company. The network manager wants to ensure that the network is secure and asks you to provide a statement of work or rules of engagement (ROE) professional security engineer document for a network security assessment.
**Create a document following the Appendix B Template (attached) based on the scenario provided. Your document must be at least three pages in length.
Refer to the NIST Publication for additional information
TO BE RE-WRITTEN FROM THE SCRATCH
- Introduction
With the growing of the use of internet in almost all aspects of business operation, personal and company information continue to become less private and accessible to the public when it is not well protected. It thus becomes important for companies to set up a security system that can put company privacy safe and protect the company and customer from unforeseen fraud or employees from viruses that would eventually destroy the whole network. It thus becomes inevitable for companies to hire internet privacy consultants to ensure security of their networks are protected.
1.1. Purpose
The main purpose of this document is to come to develop the rules of engagement document that will ensure the security of the company’s network, in addition, the document will contain a security and testing assessment procedures that will ensure the customer private information is protected at all times.
1.2. Scope
To come up with the network security for the company, the activity will involve coming up with a documented system inventory including establishing and listing all the user system boundaries. There will also be documentation of the procedures and policies in regard to the company network operations. The consultant will also identify the list of threats and vulnerabilities in terms of the client privacy and user privacy, including the likelihood and the impact of occurrence. As part of the scope there consultant will also provide the client with a list that will control and safeguard the security threats and effects of such vulnerabilities. Later the consultant will then provide the client with a list of recommended security implementation that will lead to the reduction of the said risk. This will also provide information about the level of each security risk and the level of each residual risk including recommended changes(Wheeler, 2011).
Apart from this, this ROE is also going to reflect on the different security objectives and policies with regard to the firm’s management of information technology. This will be presented in the recurrent meetings with the technical worker and the users in the network among other members of the firm’s team.
1.3. Assumptions and Limitations
Identifies any assumptions made by the organization and the test team. These may relate to any aspect of the test to include the test team, installation of appropriate safeguards for test systems, etc.
1.4. Risks
Some of the inherent risks during the time of engagement will include:
The security administrators accidentally forgets to log off to the main system thus putting the whole network under threat.
Shared password might make the whole system weak.
The security system pairs with other system making it easy to hack in and steal private information.
Disloyal stuff may also distribute private information to the wrong publics.
Actions
Each member of staff will be required to sign a confidentiality clause about passwords and other private information in the network.
There will be a reminder in the system for all the computers to log off. In addition an automatic log off with be mandatory when the computer system has been idle for more than 2 minutes. This will reduce incidences of security threats.
Administrative password will not be shared with all supervisors and shall be changed after every one week.
Updates in regard to antivirus and anti malware will be done on a daily basis after the offices close down during shut down.
- Document Structure
This section provide the rules of engagement that will be followed………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………. Network security firm as a professional security engineer …………
Get Professionally Written Papers From The Writing Experts
