Security Plan 002/06

About 4Phones

The company was founded in 1981 by Gary Hepworth. Gary put himself through University by fixing broken telephones. Doing a degree in telecommunications helped. He saw that there would be a tremendous growth in the use of telephones and so formed Jones Phones to sell handsets and other accessories. A store was opened in the Sydney suburb of Parramatta and sales were confined to the Sydney area.

The company grew slowly for the first five years but with technical advances in the industry and the advent of mobile phones things started to take off. Gary saw the opportunities and opened stores in Melbourne, Brisbane and Perth. He also started advertising for mail order sales and recruited agents to make sales in major towns.

Objectives

Listed are actionable items identified by an audit of security by the security team. The issues identified are not compliant with current security standards and fail to meet the requirements of security plan 001/05.

David Blair is responsible for updating the information system to meet new requirements and standards. It is the responsibility of every employee to make sure that information is kept secure at all times.

There are many risk identified by the plan that require actionable items to be carried out as soon as possible. The board of directors and senior management give full support to the project and regard it as a high priority project.

Circulation

This document contains highly sensitive and confidential security information. The document is restricted to key personnel and may be viewed by:

·  Gary Hepworth, Managing Director

·  Lisa Chang, Financial Director

·  Simon Pham, Purchasing Manager

·  Priscilla Thatcher, Services Director

·  Zoe Harding, HR Manager

·  John Dawes, Marketing Director

·  David Blair, IT Manager

·  AndreaWilliams, Systems Administrator

Under no circumstance can this document be made available to the public. Physical copies of the document must be kept locked away at all times. Electronic copy must be stored in a encrypted secure area. You MUST NOT photocopy this document or leave it in view of any person.

Project Team

The project team includes:

·  David Blair, IT Manager

·  Andrea Williams, Systems Administrator

·  Lisa Chang, Financial Director

Section 2: Assessment Results

Our assessment has produced the following results.

Network and Systems

Workstations

All managers and staff in head office have a PC on their desk. These have been acquired over the last three years and range from Pentium IV to Pentium D computers.

All desktop PCs are equipped with 17" LCD monitors and a pointing device.

Older machines may only have 128MB of RAM but all newer computers have 512MB to 1GB of RAM. Disk sizes range from 20GB to 120GB with the newer computers having the larger capacity. However, all staff are encouraged to store files on the network server.

Servers

There are 4 servers at the Head Office equipped with processors ranging from Pentium IV to Xeon 64-bit. All servers have 1024MB or RAM or more and 10/100/1000MB network cards. All systems have a SCSI hard disk ranging from 80GB to 240GB. The file server and accounts server also act as the domain controllers.

The network

We have Windows network running in Head Office over TCP/IP. The networking equipment consists of Cisco and Alcatel routers and switches running at speeds of 10/100/1000MB. Our Internet connection is provided by AusISP

Operating systems

There are a variety of operating systems including Windows NT, XP, 2000 and 2003. It is our intention to implement Windows XP and 2003 standard operating environment by the end of the year.

Store-wide system

The stores all make use of computers and each store will have at least two PCs while some of the larger stores have four PCs. We use a PC-based POS system that links back to a server in the store. Each evening at 6pm these servers will dial the HO server and download information about the day's trading. Accounts are reconciled during the last week of every month. The POS system produces daily reports for management on the days trading and weekly management reports.

In addition IT supports the PCs used at the franchisee stores. It is a condition of becoming a franchisee that you have to use our preferred accounting system. 4phones supplies the PCs and software and the franchisee then operates the same system as our own stores. There are over 150 PCs in the franchisee area.

Figure 1: 4phones network

Security

We compared each device and policy against the checklist in the Security Review Plan. We also ran the MBSA. These actions produced the following results:

·  Contingency planning: UPS was not functional when tested. UPS must be tested on the first of each month in accordance with backup procedures. Business continuity and contingency plan is not current. Contingency plan to be updated with each major project. Project documentation to be changed to reflect contingency requirements. Failure of WAN link brought down the e-commerce server. WAN Router was not configured to use backup WAN link. Configuration changes to router required. Backup verification has not been done for over 12 months. Backup procedure must be updated to include quarterly verification of backups.

·  IT Documentation: Network documentation for computers and network devices is not current. IP address, computer locations and port number mapping are not correct. Inventory of hardware and software not current. Security audit documentation is not current. The CEO and Systems Administrator are responsible for reviewing and updating IT security audit documentation.

·  Virus protection: Not up-to-date on four computers; generally, most users were aware of viruses but were a bit unsure about what they could do to prevent them.

·  Firewall: firewalls were not configured correctly on database server. It is imperative that all server have personal firewalls activated and configured.

·  Updates: IOS on boundary router is not current; firewall was susceptible to attack from risks. Network maintenance plan must be updated to include router and switch patching and updating.

·  Passwords: two laptop computers have no password settings and are not part of the 4phones domain. Strong passwords on elevated users accounts is mandatory.

·  Physical security: Physical access is quite secure. However, information on security procedures is lacking and policy needs updating.

·  Laptop computers: All the laptop computers had shiny bags with big manufacturer logos. No security locks.

·  Procedures: Procedure for disposing confidential and sensitive material on hard disks, tapes, floppy disks, cd’s etc are not being followed. There is no account removal policy or procedure. Unused accounts are still active.

·  Intrusion detection and proxy server: No intrusion detection system is installed on the network. Some users are able to access the internet directly by-passing the proxy server

Assets

Besides the physical property, our main assets are:

·  Our product designs and marketing material

·  Sales orders and the customer database

·  Records of our contracts with vendors

·  Our e-mail database and archive of past e-mail messages

·  Financial information

·  Paper legal records stored in various filing cabinets

Risks

The four areas of risks identified are:

·  Intruders (viruses, worms, hijacking of our computer resources or Internet connection, and random malicious use). These are the risks that anyone using computers connected to the Internet faces. High risk, high priority.

·  External threats (rivals, disgruntled ex-employees and thieves). They are likely to use the same tools as hackers, but in deliberately targeting us they may also try to induce members of staff to supply confidential information or even use stolen material to blackmail or damage us. We need to protect our assets with physical and electronic security. High risk, high priority.

·  Internal threats. Whether accidental or deliberate, a member of staff may misuse his or her privileges to disclose confidential information. Low risk, low priority.

·  Accidents and disasters. Fires, floods, accidental deletions, hardware failures, and computer crashes. Low risk, medium priority.

Priorities

Intruder deterrence:

·  Firewall

·  Virus protection

·  Ensuring that all computers and network equipment are configured to be updated automatically

·  Ongoing user education and policies

Theft prevention:

·  Laptop computer security

·  Security locks laptop computers

·  Disaster prevention:

·  More frequent review of contingency plan

·  Test and validate backup procedures

·  Regularly testing the backups by performing a restore

·  Update security policies and procedures

Internal security and confidentiality:

·  Strong password policy and user education

·  Review security for filing cabinets and confidential documents

Section 3: Security Plan

After performing our assessment, we have devised the following security plan.

Action Items

  1. Install Intrusion detection system
  2. Configure proxy server
  3. Configure and test personnel firewalls on servers
  4. Make sure that antivirus software is installed on all computers and that it is set to automatically update virus definitions.
  5. Review all networking equipment to make sure that they are fully updated, create a maintenance procedure for regular update validation
  6. Buy new, nondescript laptop computer bags and locks.
  7. Log all serial numbers, computer, networking equipment.
  8. Update security policy and procedures
  9. Update network documentation.
  10. Review IT project procedures to ensure major business process changes are reflected in contingency plans.
  11. Conduct workshop on correct disposal of confidential information.
  12. Conduct workshop on security awareness and social engineering.
  13. All staff to sign and endorse a non-disclosure agreement.

Policy Changes

Zoe Harding will update the staff handbook to include new policies on:

·  Acceptable use of e-mail and the Internet

·  Use of passwords

·  Who can take company property away from the office

User Education

We expect to give up to two hours of user training in small groups as a result of these changes. Training will cover:

·  The importance of security

·  Passwords

·  Laptop computer security

·  Virus prevention

·  Safe Internet browsing

·  Updating software and operating systems from a server

·  Introducing the new staff policies

·  Making sure employees understand the consequences for not complying with policies

·  Assessing employees’ understanding of the new policies

·  Periodically reviewing the practice of the new policies