Controlling Access

CMGT 430/Enterprise Security

Controlling Access

The topic of managing networks and data security is a huge concern of organizations all around the world. As a risk management consultation it is necessary to help the organization as a whole and specifically the IT department understand the importance of the provisioning of data and controlling access on their company network.

The risks, vulnerabilities and threats related to securing the enterprise from external threats have been identified. With the finding below we hope to show senior management, and the others that updating the policies and procedures to align with the mission of the organizations commitment to maintain confidentiality, integrity, and availability will be in the best interest of all organizational members.

Modifications to the policies are often necessary whenever technology changes for the organization. As technology changes or advances organizations must realize that most often the policies, practices, and guidelines will change as well.

Areas of Concern

With all organizations a very real balancing act is constantly in progress. The battle between productivity and security is real. The more secure a system is the more difficult it is to complete daily tasks. Productivity and security need to go hand in hand.

As technology improves the way employees complete required tasks or duties has changed, the days of sitting at a terminal with a stack of floppy disks has been replaced with smart devices and cloud storage. Complete on site data rooms are being replaced with virtual solutions, productivity can be increased but so must the backend of the organizations security.

We are an ever growing company, acquiring three new companies in the past two years. With this many of our features revolve around our corporate website that not only services our customers but our employees just the same. Customers make requests for or changes to their orders from the website. This allows them to select which solution they would like and any additional options or features. They can also use the community feature where they can find product information, upcoming releases and share information with other customers.

With products and services being available to customers on the website, it poses a threat to the organization. Although there are policies, procedures, and practices in place for internal use of the network services, the organization must establish policies, procedures, and practices for external use as well.

There is a constant concern regarding such a broad community of users accessing the organizations network. This causes increasing risk of security attacks. Specific areas will require enhanced security that restricts external user’s ability to access internal “intranet” pages. In addition there must be adequate security systems to protect the organizations databases that store confidential information.

The customer facing web site and ordering interface will need to be designed as to only accept specific character inputs. This will limit the possibilities of script injection and assist in protecting the system, any changes will require the Chief Information Officers (CIO) approval moving forward.

Business databases security will need to be addressed as well. The administration of security for data and access has created a wide-ranging set of procedures that build, execute, instruct, and monitor the business security strategy and actions. Using these as an example an in depth defensive control would be our best option. This technique will provide a security approach that uses layers of protection offers the benefit of increasing the time and resources required to go through each layer of protection. To handle access controls, the group will need to create access control policies that govern how access permissions is given to entities and groups. The policies consist of provisions for occasional assessment of all access rights and only giving access privileges when needed.

Cyber-crime is on the rise, damages from an attack can be extensive: lost profits, reduced customer confidence, bad public relations and damage to the company name are only some of the possible consequences. The organization has firewalls and intrusion prevention systems and should deploy a highly developed malware detection platform that inspects files coming into the enterprise by e-mail and download.

Mobile communications and technology facilitate work and collaboration from any location. The organization can promote this benefit by creating a Citrix VPN. This technology allows authorized devices to access critical network resources even when out of the office. This option does present its own risks in that mobile devices will be used outside a secure and controlled environment. Policies should be in place to control how these device connect to the organization. Remote connection software should be allowed for management, and IT staff to provide the ability to connect to a computers remotely. The group can use this technology to access authorized computers from a remote location. Using a personal computer or device they can access their workstation, data, or other applications. Access should be grant through distinct roles.

Much like telework, cloud solution and network interfaces provide distinct productivity to cost increases but bring with them their own share of security needs. Both Cloud solutions and interfaces can be solved by HTTPS solutions or Software as a Service (SaaS). These ideas both offer the organization and optimum amount of network management for the network and web interfaces.

Software as a service functions can be further wide-ranging by allowing custom code extensions. SaaS platforms become heir to all of the same security structural designs, security concerns, and enhancements as other settings. The application security design for whichever custom code extensions is the similar to the application itself. Data replaced through software as a service program external APIs are meet the terms of existing security procedures and policies for any type of external data interchange.

With every system, invasions are always a possibility and require effectual defensive tools. Tools consist of vigorous physical security in combination with firewalls, anti-virus/anti-malware solutions and intrusion prevention technology. This with system redundancy, established procedures will ensure a successful network infrastructure.

References

Best Practices for Security. (2016). Retrieved from https://msdn.microsoft.com/en-

us/library/cc750076.aspx

, & Mattord, H.J. (2010). Management of Information Security (4th ed.).

Retrieved from Management of Information Security