¶ … Installation The author of this report has been presented with a hypothetical situation as ZXY Corporation where a new building has been procured. This building will be the site of the new information technology (IT) and other infrastructures. However, the current setup is very raw and unfinished and this obviously needs to change. The facets of the information technology setup that will be addressed in this report will include a plan to provide secure access for all users, a viable password policy in terms of complexity and other important factors, a cryptography method to ensure that vital data is encrypted, a remote access plan to ensure that remote access to the network is done in a viable, functional and secure way and a thorough plan to protect the network from malware and various other types of malicious attacks such as phishing, social engineering and so forth. While the overall facets of an information technology security plan are not hard to rattle off, implementing them and doing that well can indeed be a bit of a struggle

Background

In looking at the facts presented thus far, there are a few question and concerns that immediately pop up. There is the presence of a local area network (LAN) but the ability and rating of that LAN is not mentioned. Everything is being shared with everyone, so that obviously needs to change from the word go. Indeed, everything is basically set to the defaults provided by the relevant operating systems and other infrastructures in place. The author will presume that Windows is the primary environment for workstations. Given the basic parameters given above, the author of this report will offer a step-by-step plan that addresses the different points, both explicitly mentioned and not explicitly mentioned, in the parameters of the assignment. There are some glaring things that need to be addressed that there are also some best practices that will be used and wielded along the way. There is indeed a good way to go about this but it needs to be done in the right way. The explicitly mentioned items will be covered first and the subtler and less obvious matters will be covered after that.

The Plan

As for secure access control, the users of this new network will be required to use their Windows password to enter their workstations when starting the day. This password will also serve as the network/intranet password for the company. Absolutely no one will be allowed access to the secure LAN without keying such a password.

The password policy of ZXY Corporation will be fairly straightforward but will have important points. Minimum password length will be eight characters. People must use an upper case letter, a lower case letter, a number and a symbol. For example, Fishbowl22! would work but dropping the capital F, the two 2's or the exclamation point would not work. Using any part of one's legal name will not be allowed. Using any prior-used password will not be allowed. Passwords will have to be changed at least once every thirty days. If someone loses their password, they will have to get with information technology and a specific procedure to do that will be put in place.

Encryption and cryptography will come in two major forms, those being wireless and the hard drives themselves. So that wireless transfers (i.e. at the office) are secure, there will be use of the WPA2 encryption. It is the current "gold standard" for wireless encryption and it has not been cracked. On the other hand, the very obsolete WEP encryption will not be enabled or allowed on any workstations. As proven by (and before) the TJX information hack, that cypher has been compromised. Unsecured wireless traffic will never be allowed unless the user is on the VPN. In that case, the traffic will still be encrypted but any reputable employee of the company should have a WPA or WPA2 router in their home if that is where they are at. However, other locations like Wi-Fi hotspots and the like are usually unsecure. Of course, the use of such spots would (and should) be fleeting (Ou, 2007).

The other part of the encryption and cryptography is the use of hard drive-level encryption to secure the data on the machines. While most if not all important and vital data should NOT be stored on the local hard drive, there will be at least some in the form of the Microsoft Outlook PST files and other minor exceptions....

Regardless, the contents of the hard drive will be encrypted using Sophos or something else along those lines. This is necessary in case someone's laptop is stolen. Basically, it leaves any thief with the option to reformat (and wipe) the hard drive and that is about it. Without a valid Windows password, the data on the drive will not be accessible.
As was already touched on briefly, the secure access for the company's network will be facilitated through what is called a virtual private network. Whether it be due to field work or work from home, a virtual private network allows a group of people to mutually access a network even if all of the people involved are not in the same physical space or group of spaces. The technology, often referred to as a VPN, will be created in a form that is proprietary to the company and shared with nobody. Only people logged into the VPN will be able to access the company network unless they are on company property and plugged into the LAN or attached via the aforementioned WPA2 wireless setup.

As far as protecting the network from malware and such, a number of things will be employed. A strong and established antivirus and malware detector such as McAfee or Norton will be put in place. Beyond that, the employees of the firm will be thoroughly trained on how to recognize obviously or at least potential situations that are phishing attacks. Indeed, teaching the people to mouse over links before clicking them, checking the sender of the email and verifying if they are known and so forth will all be completed. No matter what firewalls and software options are present, no network will be secure as it could or should be if the people operating within that network are oblivious to how they can be manipulated and otherwise fooled by a phish attack. Similarly, there will be a system put in place so that contacts of the company (e.g. vendors, clients, etc.) cannot be easily impersonated. This will be done through passwords, verifying the identity of a caller and so forth.

The workstations will not be allowed to left unsecured when someone stops using their workstation or steps away from the same. If a computer is idle for five to ten minutes (perhaps fifteen), the computer will automatically lock and the credentials of the user (or admin, as needed) will have to be presented for the workstation to be unlocked. This will make it much harder for another person in the office to just jump on and access or do things on that other workstation. It will be made clear to all employees that only authorized people (e.g. managers, IT support, etc.) are every allowed to touch a computer that is logged in with someone else's credentials.

In keeping with the laptop security importance alluded to in the cryptography section, it will be made clear to everyone that leaving laptops and other equipment in vehicles (especially in clear view) is absolutely forbidden. Each person's laptop should be on their person at all times or secured in their homes or hotel. They should be left absolutely nowhere else. If a person goes out to dinner and they have their laptop with them, they should take it into the restaurant with them and secure it with them. Optimally, that will not occur in most instances and this can easily be avoided with a little planning and forethought.

The file and folder structure mentioned in the parameters has to go. The major thing that will be established is a two-sided domain whereas there is the public-facing and unrestricted information for the general public (e.g. the company website) and then there will be the company intranet and information that can only be accessed with the prior credentials from a company employee, authorized vendor or someone else like that.

The internal access mentioned where everyone has access to everything will not be kept either, obviously. Of course, the files and folders will be constructed in terms of hierarchy and the proper shares so that people have access to what they need so as to do their job and that is about it. This should generally be something that can be done through a folder for each department and keeping access for people in that department only to their relevant folder unless there is a need for other folders or shares to be accessed. Of course, the managers will work with IT to get that laid out and planned and managers/IT will obviously have full…