Scope of Work We will begin by devising a table that will list the top security threats found. These threats will then be summarized. Once the top threats have been identified and summarized, we will then focus on how to solve these issues. These security considerations will include the mitigations of risks through several key points including the following: * Hardware- all current hardware will be overviewed including servers, firewalls and routers and several suggestions for replacements or upgrades will be outlined if needed. * Disaster Recovery- Suggestion on what needs to be done in case of a failure. * Software- This will include suggestion for Anti-Virus software. * Policy- This section will include suggested policies that should be implemented. * Training- Included here will be suggested training methods so employees will not only be aware of security threats, but how to avoid them as well Also included will be IT audit elements that will outline how best to audit IT to be sure tasks are being completed correctly and in a timely manner. Recommendations will then be made based on our findings, including a price quote for said recommendations.
Top Threat Table Area of System | Threat | Potential Vulnerability | Data Storage | Hacking, unauthorized access | Organization and customer information compromised | User terminal | Social engineering, shoulder surfing | See users access information, getting a user to unknowingly give your access information | Server | Hacking, malware, viruses, Trojan horses | Disruptive system operations, Backdoor access, key stroke recording | Web site | Hacking, viruses, unauthorized access | Information being accessed, unknowingly installing viruses and Trojan horses |
Policies Staff accountability: Have set security roles and responsibilities for all users, staff, and management. Creating accountability in these employees categories will help Kudler understand and manage expectations and will provide a firm foundation for enforcing all other policies and procedures. In addition, Kudler should define classes of data including but not limited to internal, external, general, and confidential. With the data classified, Kudler can then make further stipulations as to what types of employees are responsible for, and allowed to modify or distribute certain classes of data. Network service policies: Kudler should generate policies for secure remote access, IP address management and configuration, router and switch security procedures, and access list Stipulations. Kudler also needs to decide which staff needs to review which change procedures before they are implemented. System policies: Kudler will need to define the host security configuration for all critical operating systems and servers. Which services should be running on which networks, account management policies, password management policies, messaging, database, anti-virus, and host based intrusion detection, and firewall policies should all be considered. Physical security: All physical security, including access need be considered. This includes how buildings are secured including access to all buildings whether it be by key card, password locks, or security sign in. The placement of internal and external security cameras should also be considered. Visitor access and accessibility also needs to be considered. Finally, inventory rules and regulations for deliveries need to be set. Incident handling and response: Kudler should have procedures in place in the event of a security breach or incident. Policies such as how to evaluate a security incident, how the incident should be reported, how the