Quest


 

Assignment Instructions

Part 1: Devise a Security Policy

Think about a business you are familiar with that uses networks and  computers to support business functions. Create a list of 10 important,  specific items. The list might contain items such as the following:

  • Components — Servers, computers, mobile devices, IoT devices, other equipment, etc.
  • Information — Sales data, client data, financial data, etc.
  • Network configuration

Identify the threats these important items are subject to. Devise a  security policy to mitigate that threat. Document your analysis process.  Note that this information will be useful moving forward, so develop it  fully at this time.

Part 2: Security Policy Assessment

Read the following mini-security policy. Assess this security policy  in four major areas. What is missing, incomplete, inaccurate, or  ill-advised?

R&D Financial Services, LLC Security Policy 

Each document should have a footer or header identifying the level of  sensitivity. Suggested sensitivity levels are unrestricted and client  sensitive.

Email clients should enable SSL encryption for ActiveSync, POP3 and  SMTP. SSL should also be used for web-based email. That way, regardless  of where people work, their email traffic will not expose any data to  network eavesdropping techniques. If client confidential data must be  emailed amongst any third-party firms and/or consultants, the file  should be encrypted, perhaps using a cross-platform product such as PGP  or S/MIME, so that data cannot be read from email servers along the way.

File servers with shared folders should have access controls enabled  to only members of the authorized group. Shared folders should also be  encrypted so that physical theft of the server, its hard drives, or the  backups will not compromise data confidentiality.

Periodic backups will be made of server hard drives and stored  offsite in a secure location such as a safety deposit box. Access to the  backups will be shared.

Only a select few consultants under contract with R&D Financial  Services, LLC will be given the file server Administrator account  password. Laptop computers will not automatically login the  administrator and each account will be password protected. Local folders  containing client sensitive data should be encrypted so that theft of  the laptop or its hard drive will not compromise data confidentiality.

Portable storage devices, such as USB and thumb drives, may be used  to store client sensitive documents if they are stored in encrypted  folders or drive images.

Laptop computers will have screen savers enabled with password  protection. Users will switch on their screen saver to lock the computer  when they walk away from it.

Passwords should be chosen wisely, i.e., common dictionary words would not be used.

Assignment Requirements 

  • Answers contain sufficient information to adequately answer the questions
  • No spelling errors
  • No grammar errors

Note: Two points will be deducted from grade for each occurrence of not meeting these requirements