Risk Analysis-Riordan Boise, ID
...ded by the project team to develop and/or maintain a quality application system. Staff hours should be broken down by major skill category, both technical and program related. This information will help management determine the resources required and when they are needed. Risk Management Structure Identify organizations responsible for managing identified risks and maintaining countermeasures. Periodic Risk Assessment Describe the frequency of periodic risk assessments of the operational system. Contingency Planning Determine the level of contingency planning needed and identify the responsible personnel involved. Network Requirements for McBride Financial Introduction Hugh McBride of McBride Financial Services has requested an analysis of the risks involved with the IT configuration in the Boise office (SF-mf-006). In addition, this document will include completion of Change Request 1 of SR-mf-005 requesting the creation of the Physical Design for the LAN of the Boise Office. The Boise office is to be the headquarters office with seven additional locations in five neighboring states: Cheyenne and Jackson, Wyoming; Helena, Montana; Bismarck and Fargo, North Dakota; and Pierre and Sioux Falls, South Dakota. Purpose McBride Financial Services is expecting to provide high quality mortgage services at minimal cost. They intend to use modern computer technology to provide this efficient and effective service to customers in a five state area This document will spell out the many requirements that Mr. McBride mentioned in his conversation to Abram LaBelle of Smith Systems Consulting. In addition, this document will contain addition requirements provided by Ms. Elizabeth Slovick. The purpose of documenting the future visions is to ensure that the proposed LAN will be able to support the future plans when they become reality and discuss any risks that may be involved with these additional requirements. The location of the Boise, Idaho office is in the downtown Boise area dominated by banks, trendy restaurants and local coffee shops. This facility is also close to the interstate highway. This Boise, Idaho facility is the primary focus of this document. This facility is expanding to three buildings. Currently the Boise office is located in Building 1. Building 1 is occupied by three (3) administrators, one (1) finance employee in the bookstore and five (5) finance people in accounting. There are five (5) sales employees and five (5) support employees. The Boise office has one (1) computer IT employee. Additional space is included for 10 training rooms. On the same property, space is being leasing in Building 2 located 120’ across the parking lot. This space will be remodeled so that the following employees will move from Building 1: three (3) administrators, five (5) finance people in the account department, five (5) sales employees and three (3) support employees. After the move into Building 2, Building 1 will be remodeled. This space will contain: one (1) finance employees in the bookstore, two (2) support employees, and one (1) computer IT employee. The required space for ten (10) training rooms will remain in Building 1. Space is also being leasing in Building 3 which is 2000’ away. This facility is not on the same property, but located several blocks from Building 1 and 2. This facility will house twenty (20) training rooms and two (2) new support employees. Branch office (A) is currently open. This facility is located 250 miles away (within the same state). Employed at this facility are one (1) administrator, two (2) sales employees, and one (1) support employee. This facility also has (10) training rooms. The plan for this Branch office will be used for other locations which will be opening in the future in other states and other countries. Each location will have a customer area and a reception area. The sales employees (brokers) area will also contain access to the Internet, color printers, fax, telephones, and a copy machine which has the ability to print, scan and email. Physical • Interconnectivity between the all offices and buildings. • Need communication link where the users do not need to physically move or exchange information over the telephone. • Network needs to be able to expand with larger offices if needed in the future and additional satellite locations. IT Workstations • All employees have 486DX66 or Pentium stand alone PC with Microsoft Office and Windows 3.11 or Windows 95. • See spreadsheet for specific offices include total numbers or workstations • Brokers (sales person) will provide their own laptop computers which will connect to the network. • In addition to the employee workstations, the client area will have provide an areas with private meeting rooms or cubicles containing “self-serve kiosks with computers” to be used by clients to access the company’s website and their own personal applications. This area must be private and confidential. • Videoconferencing for sales staff and administrators IT Service nodes • The sales employees (brokers) area will also contain color printers, fax, telephones, and a copy machine which has the ability to print, scan and email. May consider incorporating this into the file storage area. • Employees need access to the LAN, even if offsite. • Backup capability through the LAN. • Outside contractor will provide remote IT services through the LAN. Network WAN-LAN infrastructure • Current network is a 5-station Lantastic network in Accounting Department. • Analyze need for immediate access to all seven locations. • Modem dial-up for employees when at home. • Each Training Room needs 4 wall connections to WAN/intranet. • Disaster recovery redundancy in each office. • If one office is down, does not want the entire network system down. Telecomm Infrastructure • Each facility will use VoIP (Voice over Internet Protocol) technology with the ability to make calls to any telephone service type. • Each office will be provided with VoIP soft phones. • Each of the sales staff/brokers will be provided mobile phones so they may be contacted at any time, which is deemed necessary. Applications • All employees have “secure enterprise” Email • Email to “non-company” locations necessary • All employee share scheduling application • Client information database available for all employees • .Per memo dated 10/12/05 -- “integrated enterprise information system” Client database needs to be easy, powerful, and fast • Analyze if database should be “web-based” • Backup system • Disaster recovery system • All systems need to be easily replicated for expansion offices. Internet - Website • Administrators and sales employees need access to Internet • Intranet is possible future vision • Client Security major concern since they will be entering very personal information that needs to be protected • Link to latest interest rates • Ability to do financial calculations • Client mortgage application process, mortgage approvals or denials will be provided electronically • Password protection for customers Intranet • Internal security on LAN concern since the client personal data will be contained in a database application available to employees • Client database may be accessible to employees through the LAN or WAN if they are offsite Security • Firewall to Internet necessary. • Primary concern regarding security if proposal suggests wireless LAN o due to location of facility o Privacy of data LAN Management • LAN will be maintained remotely by vendor Risks and Safeguards It has been determined that there was no existing network IT documentation for McBride Financial Services within the company internet or intranet. Current Security Concerns Analysis has been performed on the current security policies and the immediate issues that will require attention will be discussed. The first concern is that there is incomplete network documentation existing throughout the organization for all locations. The topology does not show the component location of hardware equipment, specifically, the location of routers, switches, servers, and the end-users. There is no node port identification. Even more concerning is the fact that there are no security policies currently existing in any of the locations. The secondary concern facing McBride Financial Services-Boise is physical security for the employees and facilities. There is no security force or an office of personnel to conduct physical security of the locations. This leads to the fact that there are no “Key Control Custodians” at any location to maintain positive control of any keys for all critical infrastructure locations. Access rosters for all locations are non-existent. Currently there are no security personnel or video surveillance systems emplaced in these critical infrastructure locations. Furthermore, there are no controls addressing employee access. System access control is the third security concern. User names and passwords are visually seen on individual computers making it easy for any one to steal passwords which would allow them to access data on any company computer. There are no set policies for password requirements that identify length, history, and special characters. All system access should have specific user definitions. Upper management has full control of IT resources, and most resources are not restricted. Most important, user and client information is stored locally, on individual (client) computers and not on a network server. Protocols are not installed on the server to retrieve the information from the individual PC and the server's ability to perform a self backup is currently disabled. There are no backup or recovery policies in place. Currently, if any single PC or server fails, there will be loss of information, productivity and will cost the company for every hour the machine is non-operational. Physical Security Concerns Physical security policies will help to create effective building and personnel security. Physical security will be outsourced to a third party vendor. Key assignment will be replaced by a RFID (Radio Frequency Identification) readers and pass codes for all secure locations. RFID badges will become mandatory and will include the individuals department, name and picture. Human resources will be trained and be giving responsibility to maintain the personnel access list and the issue and recovery of ID badges. At each site there will be a security system installed to include burglary, fire and video surveillance. The security system will be monitored by an offsite agent and by the security personnel. Security plans will comply with all federal, state and local regulations. Learning Team B recommends all computer equipment be mounted to minimize theft of equipment. Only authorized personnel will have access to specific company spaces according to their security level of need to perform their job. All visitors and guest must check in at security and be issued a visitors badge. System Access Control Policies System access control policies will be created and implemented. McBride Financial Services-Boise IT staff will be responsible to assign employee username/login and assign temporary passwords. Passwords will include two or more of the following, one special character, one number and one capitalized letter. Users will receive an email notification 30 days before there password expires. Passwords will expire after 90 days. Users will not be able to use the last 20 expired passwords. IT department will assign user level access and regulate the resource access through job description or necessity. A roving profile will be implemented so employees can move from computer to computer. User accounts will be automatically locked off after 30 minutes of inactivity on any particular workstation. LAN Administration Recommendations McBride Financial Services-Boise IT department will be responsible for all LAN administration. They will monitor all network traffic on the LAN to minimize network congestion. The IT staff will disable all inactive ports to eliminate anyone trying to connect unauthorized computers to the LAN. They will also maintain all servers, routers, and all other network devices to ensure they are secure from unauthorized access. The IT staff will be responsible to implement and maintain redundancy plans for servers and network devices for each site. All data will be stored on servers and backups will be performed daily. Backups will be tested monthly to ensure the backups are successful. An offsite location will keep a secondary copy of the backed up data. The offsite backup will be stored by a third party data storage facility. The IT department will be responsible to update and implement any changes to the security policies as needed. The IT staff will maximize audit log usage and confirm continuous backups are being performed. The IT department will create floor plans with all the network node equipment locations. A component diagram will provide detailed locations of all clients, routers, servers and switches. IT department will be responsible to update documentation as necessary. LAN Network Recommendations Learning Team B recommends McBride Financial Services-Boise upgrades the Boise location with the following hardware and software: • Core multi-layer switches: Multilayer switching is simply the combination of traditional Layer 2 switching with Layer 3 protocol routing in a single product, usually through a fast hardware implementation. In fact, it is this hardware that has enabled the recent development and success of the multilayer switch. New higher-density ASICs (Application-Specific Integrated Circuits) allow real-time switching and forwarding with wire speed performance, and at lower cost than traditional software-based routers built around general-purpose CPUs.(ANRITSU COMPANY SALES & SUPPORT, 2006) • The Firewall will be configured with an access lists which will provide added security. This state information is used to create temporary openings in the firewall's access lists. This is done by configuring IP inspect lists in the direction of the flow of traffic initiation to allow return traffic and additional data connections for permissible sessions (sessions that originated from within the protected internal network). (Cisco Systems, 2006) • The backbone entry point to the internet is a backbone entry point proxy that can serve all clients from all POPs and enterprise networks that connect to the backbone at the corresponding backbone node. Although this proxy is farther away from...