Professional Documents
Culture Documents
ICTNWK546 Project Portfolio - (Word Version) ICTNWK546 Project Portfolio-Student Version
ICTNWK546 Project Portfolio - (Word Version) ICTNWK546 Project Portfolio-Student Version
Student Version
ICTNWK546
Manage network security
C ONT ENTS
Section 1: Security design preparation 4
Section 2: Security design and policy 10
Student name: Nilesh Nischal Prasad
Assessor:
Date:
- servers
- CCTV
- firewall
- cabling
-Server racks
- Switch Racks
- ISP routers
-PC’S
- UPS
- Software licenses
- Antivirus
- Printers
Building
Managing
Types of Malware
- Trojan horse
SQL Injection
- Install Antivirus
software with
firewall protection
enabled
Attach:
Presentation ☒
Key procedures
relevant to maintaining
security e.g., identity
management, threat
management
(including incident
response procedures)
and auditing
procedures.
As a guide your policy
should be 2 – 3 pages.
Write the name of your
Shop 2
- 2 x Laptops on LAN network
- 1 x Switch
- 1 x 2900 series router
- Cabling
LAN Network Design
SHOP 1
Network Details:
IP Range:
192.168.19.XX
Subnet :
255.255.255.192
Gateway:
192.168.19.1
LAN Network Design
SHOP 1 –Router G0/0 IP Config Details
LAN Network Design
• Shop 1 -Laptop IP Details
LAN Network Design
SHOP 2
Network Details:
IP Range:
192.168.24.XX
Subnet :
255.255.255.0
Gateway:
192.168.24.1
LAN Network Design
SHOP 2 –Router G0/0 IP Config Details
LAN Network Design
• Shop 1 -Laptop IP Details
Shop 1 & 2 Router Connectivity
Network Details:
Shop 1 Router IP
G0/1 – 10.1.0.1
Shop 2 Router IP
G0/1 -10.1.0.2
Router 1 & 2 IP assignment
LAN Network Final Design
Ping From Shop 1 Laptop to Shop 2 Laptop
RIP Routing Setup
• Shop 1 Router
RIP Router Setup – Shop 2
Simulation Result
Simulation Result 1
Simulation Result 3
Simulation Result 4
LAN Network – Setup Firewall Rules
LAPTOP 0 Able to Ping Laptop 1
Setting up Firwall – Deny Ping Services
Between PC 0 TO PC 1
Allow to view IP address
Firewall Successful – Cannot Ping Laptop 0 to
Laptop 1 Failed – Inbound rule is active
Simulation Result
IT RISK Register
Category Name Probability Impact Mitigation Contigency Risk Score after Mitigation Action by Action When
Check the SQL logs and Fix the - ensure SQL software is fully updated
vulernabilities and review with latest patch
database permission and access
Security Risk SQL Injection High High level. - Use Web application firewall. 10-20 % Database Administrator 02/08/2023
- Prepare Incident Respond Plan
- Train users on downtime procedure
Network is completely down - Print downtime reports from ICT Manager
Strategic Risk - No Incident Respond Plan High High Manual operations activated software 50% Systems Administrator 02/08/2023
IT SECURITY POLICY
The Information Security Policy is designed to protect and preserve the appropriate confidentiality,
integrity, and availability of information and information systems owned by or in the care of the
Company and its subsidiaries, affiliates, and service providers. This Policy identifies and describes
the principles that requires to globally protect company information and company information
assets using industry best practices with a risk-based and business aware approach.
POLICY STATEMENT
Protecting Company information assets is critical to the reputation, operation, and financial well- being of
the organization. Security controls must be in place to protect company information assets, and the business
processes they support, against accidental or intentional unauthorized use, disclosure, transfer,
modification, or destruction. These security controls must meet legislative, regulatory, and compliance
requirements and support companies Vision, Mission, and Values.
Deviations discovered in risk assessments, internal or external audits, or security compliance reviews must be
remediated with timeliness directly proportionate to the risk involved.
The Company must create and maintain a formal Information Security Program that:
• Provides for the confidentiality, integrity, and availability of information assets;
• Protects against anticipated threats or hazards to information assets;
• Protects against unauthorized access to, or use of, information assets;
• Posts the Information Security Policy on the Company Intranet web site, consistent with other Company
policies;
• Disseminates the Information Security Policy, as appropriate, to relevant personnel (e.g., vendors,
business partners);
• Provides awareness training on the Information Security Policy for all new, existing, and temporary Team
Members with access to protected information. All Team Members will receive training upon hire and at
least once annually;
• Ensures the Information Security Policy is reviewed and updated as necessary at least once annually or
as changes to business practices, technologies, or risks occur; and
• Ensures the Information Security Program is reviewed and updated as necessary at least once annually;
• Monitors and enforces compliance with the policy.
B: Prohibited Activities
Company Team Members must not engage in any activity that is unlawful under local, state, federal, or
international law while utilizing Company-owned resources.
The following activities are considered by the Company, at a minimum, to be categorized as unacceptable use
and are strictly prohibited:
• Introducing or downloading malicious programs onto Company technology resources (e.g., viruses, worms,
Trojan Horses, email bombs, malware);
• Using Company technology resources to advertise or sell products, items, or services for personal gain;
• Breaching or disrupting network communications. Security breaches and disruptions include, but are not
limited to:
• Knowingly accessing information for which the user is not an intended recipient;
• Logging into a server or account that the user is not expressly authorized to access;
• Generating excessive network traffic or causing any type of denial-of-service condition;
• Performing network reconnaissance and analysis activities without authorization (e.g., network sniffing); and
• Introducing malformed or malicious network traffic (e.g., ping floods, packet smooth, forging routing
information);
• Network monitoring, port scanning, or security/ vulnerability scanning, including the ‘testing’ of security
tools on any Company resources without authorization;
• Circumventing user authentication or Company information security controls;
• Installing or circumventing software with the direct or indirect result of avoiding information security
services and restrictions at Company;
• Providing confidential information about or lists of Company guests, clients, service providers, or
The following activities are strictly prohibited when using Company information technology resources:
• Using Company equipment and / or networks for non-business-related activities during working times,
with the exception of incidental and occasional personal messages or Internet usage.
• Transmitting or accessing by email or other form of electronic communication any material that is
profane, obscene, sexually explicit, or offensive
based on any protected characteristic (e.g., sexual comments or images, racial or ethnic slurs, comments
that may be offensive on the basis of an individual’s age, religious or political belief, sex, disability, or any
other status protected by law) or any other such conduct that may violate the law.
• Knowingly downloading or opening attachments from un-trusted, non-Company resources that may contain
viruses and/or malicious programs;
• Unauthorized use or forging of email header information;
• Creating or forwarding chain letters or pyramid schemes of any type;
• Use of unsolicited email originating from within Company networks or other Internet, intranet, or extranet
service providers on behalf of, or to advertise, any service hosted by the Company or connected via the
Company network.
D: ACCESS MANAGEMENT
A. Approvals
• All access must be approved, in writing or an equivalent electronic form, by an authorized approver prior to
access being granted to a system or information. This approval must be in a form that specifies the user’s
required privileges.
• Access approval documentation must be retained by User Account Administrators.
B. Reviews
• Access to systems and data must be reviewed at least once annually, unless increased frequency is
required to meet legal, regulatory, or compliance standards applicable to the Company (e.g., PCI DSS,
Sarbanes-Oxley).
• Review documentation must be retained for a minimum of one year.
C. User Accounts
• User accounts must be unique and assigned to a specific individual.
• Generic or shared user accounts must not be created or used.
• User accounts granted system level access must not bypass the required logging and audit trails (e.g.,
requiring Unix root-level access to occur through use of the “su” command)
• User accounts granted system administration privileges must only be used for administration purposes.
Accounts granted administrative-level access privileges must not be used for general use (e.g., reading email,
Internet browsing).
• User accounts temporarily assigned to vendors for maintenance purposes must only be activated as needed
and be disabled when not in use.
• System and service account passwords must be changed from vendor defaults and are subject to the
Access Management Standard.
• User accounts granted to contractors, consultants, and/or temporary employees must automatically expire
after a period of time as defined in the Access Management Standard. Reactivation of the account must be
approved.
D. Access Requests
• Access must be requested using the principle of least privilege, whereby users are assigned only those
permissions consistent with their job title, classification, or function. Permissions are not to be granted
functionality based on a “copy” of another user account with similar job responsibilities.
E. Access Assignments
Access assignment is performed by and the responsibility of Information Technology or an authorized service
provider.
• Permissions must be assigned using a Role Base Access Control (RBAC) model that implements the
principle of least privilege, whereby users are assigned only those permissions consistent with
their job title, classification, or function. Permissions are not to be granted functionality based on a “copy” of
another user account with similar job responsibilities.
F. Access Removals
• Human Resources must immediately notify User Account Administrators responsible for physical access
and logical access of job terminations and job transfers.
• Physical access and logical access to each system, application, or database must be disabled immediately
following a job termination or job transfer notification.
G. Authentication and Passwords
Authentication and Password systems are implemented by and the responsibility of Information Technology or
an authorized service provider. Any other authentication or password systems used in the Company
environment must be pre-approved
by Information Technology and compliant with the Information Security Policy.
• Access control systems must require both a user account as well as at least one other method to
authenticate the user (e.g., password, token).
• Passwords must be securely delivered to any user and kept secured at all times.
• Passwords must change upon initial logon, system permitting, by the user and subsequently changed every
90 days.
• After six unsuccessful password attempts, the device (not including mobile phones or tablets) must be made
unavailable to the user via account locking, keyboard locking, and/or screen blanking for at least 30 minutes or
until an administrator unlocks the user’s account.
• After ten unsuccessful password attempts, iPhone, iPad, and Android devices will be disabled.
• Sharing of passwords to individual user accounts is prohibited.
• Passwords must comply with the following rules and contain:
• a minimum of seven characters;
• alpha-numeric characters;
• a minimum of one special character (e.g., !, #, $, %) (system permitting); and
• upper and lower case letters (system permitting).
• Passwords for mobile phones and tablets must comply with the following rules and contain:
• a minimum of five characters.
• Passwords must not:
• repeat any of the four most recently used passwords;
• use standalone words from a dictionary, the movies, or geographical locations;
• use month, day, year combinations (e.g., Jan07, 07Jan13, Jan2013); and
• contain proper names (e.g., oneself, family, friends, colleagues, vendors).
• A user’s identity must be positively verified before a request to reset the user’s password is performed.
• Sharing of passwords to individual user accounts is prohibited.
BACKUP AND RESTORATION
B. Restoration
Restoration of protected information must
be tested semi-annually to ensure the
information is recoverable and complete in
the event of an information loss.
are not limited to, the following areas: Information
CHANGE MANAGEMENT Security, Access Management, Change Management,
Configuration Management, Vulnerability
Management, and Physical Security.
F. Human Resources
• A formal security awareness training program
must be implemented. Information Security &
A. Internal Audits Compliance is responsible for managing an annual
Internal audits must be performed on a periodic security awareness program.
basis to assess compliance with security policies and • Users of Company resources must validate upon
standards. Internal audits must be performed on, but hire and at least once annually that they have taken
the security awareness training.
• Users of Company resources must acknowledge
at least once annually that they have read and
understand the Information Security Policy.
B. Physical Security
• All devices must be secured at all times from
DEVICE MANAGEMENT unauthorized access.
• Information users must protect laptops, mobile
devices, and removable media that store, process, or
transmit Company information from unauthorized
access. Physical security measures must, at a
minimum, include the following:
• Devices must not be left unattended without
employing adequate safeguards (e.g., cable
locks, restricted access environments, lockable
cabinets);
• When possible, devices must remain under visual
control while traveling. If visual control cannot be
maintained, then necessary safeguards must be
employed to protect the device; and
• Safeguards must be taken to avoid unauthorized
viewing of protected information in public or
common areas.
• Information technology administrators must
protect Company servers and network devices that
store, process, or transmit Company information
from unauthorized access. Physical security
measures must meet minimum standards based on
location type.
A. Inventory • Devices must have physical (e.g., asset tab with
Information Technology or an authorized service bar code) or logical (e.g., hostname) identifiers that
provider is responsible for managing a device enable correlation of a device to its owner / primary
inventory. contact and purpose.
• The Company must maintain an inventory of
Company devices authorized for work use on the C. Anti-Virus Protection
Company’s network. The inventory shall include Information Technology or an authorized service
descriptive characteristics that enable the device to provider is responsible for managing the anti-virus
be uniquely identified. systems.
• The Company must maintain lists of devices • Up-to-date anti-virus software must be installed
and related technologies, as well as associated on all Company or personal devices that store,
authorization, location, and product lists as required by process, or transmit Company information and that
specific compliance requirements (e.g., PCI DSS, are commonly affected by malicious software and
Sarbanes-Oxley). configured according to the Anti-Virus Standard.
• Inventory and security audits of company devices Information Technology or an authorized service
must be performed at least once annually and provider is responsible for implementing anti-virus
documented. software on devices.
• Inventory of systems and applications that store • Anti-virus software log generation must be enabled
protected information must be maintained. and logs must be retained.
• Anti-virus software must not be disabled on any
device without prior authorization from Information
Security & Compliance.
D. Configuration Standards
• All Company or personal devices that store RESPONSE
Company information must meet Company
Configuration Standards as well as any laws,
regulations, and compliance standards applicable
to the Company (e.g., PCI DSS, Sarbanes-Oxley).
Information Technology is responsible for defining
and maintaining Company configuration standards.
• Users must never disable or alter standard
configurations, security services, devices, or software.
A. Incident Reporting
E. Disposal • All suspected, potential, and actual information
• Company or personal devices that store Company security incidents must be reported immediately to
information must be properly disposed of to ensure Company Management. Information security
that no Company information remains on the device incidents include, but are not limited to:
(e.g., degaussing, physical destruction). See the • Unauthorized access to electronic systems owned
Equipment Disposal & Decommissioning Standard. or operated by or for the Company;
• Malicious alteration or destruction of data,
F. Inactivity information, or communications;
• Users must lock or logoff all devices whenever a • Unauthorized interception or monitoring of
system is left unattended. communications; and
• Company and personal portable computing devices, • Any deliberate and unauthorized destruction or
desktops, and workstations must have a secure damage of IT resources.
inactivity timeout function enabled and set to 15 • Information Security & Compliance must notify the
minutes or less. appropriate entities according to the guidelines in
the Incident Response Plan.
G. Lost or Stolen
• Users must immediately report any lost or stolen
devices, suspected or confirmed, to:
• Direct Supervisor or Manager
• A standard tracking and recovery tool must be
installed on laptops. Information Technology or
an authorized service provider is responsible for
installation.
• Users must never disable the standard tracking and
recovery tool.
• Mobile phone and tablet configurations must allow
remote wipes and disabling.
H. Vendor Management
• Vendors and service providers, who maintain
devices that store, process, or transmit Company
information must adhere to Sections A through G
NETWORK
B. Wireless
• Wireless access points must be architected, installed, and maintained by the
Company as defined in the Wireless Standard.
• Wireless access points cannot be placed on the Company network or installed in a
Company facility without prior explicit written approval from management.
• Wireless environments must conform to compliance standards applicable to the
Company (e.g., PCI DSS, Sarbanes-Oxley) as outlined in the Wireless Standard.
• Wireless environments and technologies must be tested and deemed acceptable
before being installed and used.
• Wireless networks must require authentication for connectivity.
• Wireless network activity must be logged.
• Scanning must be conducted twice per calendar year to identify unauthorized wireless
access points, unless more frequent scanning is required to meet legal, regulatory, or
compliance requirements applicable to the Company (e.g., PCI DSS, Sarbanes- Oxley).
• An inventory identifying and describing all wireless technologies in use and the
security measures in place must be maintained.
• Current network diagrams and cardholder data flows must include wireless networks
and must be maintained.
• Perimeter firewalls must be installed between any wireless networks and the
cardholder data environment. These firewalls must be configured to deny or control
(if such traffic is necessary for business purposes) any traffic from the wireless
environment into the cardholder data environment.
Student Name:
Student ID: