Data Security Solution for the Design Studio One Company - Case Study Example

The aim of this paper is to provide a Data Security solution for a company. Data Security of The aim of this paper is to research a Data Security Solution requested by the executive management team of a company. The data security technology solution will give strategic implications of the information technology solution on the business for the next three years. The company is a relatively big web design studio called “Design Studio One” located in Atlanta. The management team at the company are concerned regarding the personnel and customer private data exchanged through the network. The company usually has 500 attacks a day by hackers and rival companies trying to access the confidential info of customers such as email or credit card or bank account details. The purpose of this report is to research the necessary solutions and to provide recommendations for management team. Background of Company “Design Studio One is known as a leader in creative services, web design and web development in Atlanta since 2001. Located on Lenox Road in Buck-head near downtown Atlanta, they are committed to helping business development in the metro region, but their service and client base extends across the country. With their continual focus on quality and customer satisfaction, they consistently deliver successful solutions for their clients.”1 The company provides solutions in web designing, web hosting, search engine optimization, website maintenance and updates, logo design and print design. Customers are able to login through the website and gain the access to their control panel. In the client login section, customers are able to view the status of their project. They are also able to enter or modify their personal information such as email address and credit card number. This panel also gives the customer the ability to test their website temporarily on the server and give their feedback and request the company to modify the project easily. Current Business Issue Although the current service is robust and customers have full control on their project, the management team noticed that some of customers complained about the security problem of both servers and control panel of the company’s website. Some of them had received so many bulk emails in their inbox from the support email of the company and some of them had lost their access to the control panel because their password and information was stolen by a third party. The management team at the company requested the server experts to check the security situation of the company on a weekly basis and the results of the primary research implied that the company’s server has approximately between 400 to 800 IP attacks per day. Further investigation also showed that the reason for malfunction of some of test servers has been mainly the results of these server attacks by hackers and not software or hardware problems. Research Finding on Data security In this section, some of research findings on Data Security for the management team at the company will be provided. Here we will discuss the importance data security for business managers and the ways to establish a data security policy and how to deal with security issues that may happen for a business. Data protection for a business is very similar to the protection process of own personal possessions. In other words, a business must be able to provide maximum facilities to protect customer’s private data and the vital information of the company itself like a personal property. “In business, having the correct information at the right time can make the difference between profit and loss, success and failure. Data security can help control and secure information from inadvertent or malicious changes and deletions or from unauthorized disclosure.”2 Data security has three aspects, CONFIDENTIALITY which means data protection from unauthorized access by for example the competitors or press. INTEGRITY which means the process of protecting data from unauthorized modification, for example the email address or password of the customer at this report. The third aspect is AVAILABILITY which means that accurate data must be available when needed. Usually business managers must be able to protect confidential data such as the customer’s personal information, their financial information and the company’s strategies or plans which are stored on computers, or other storage devices. Data security is important for today’s businesses, in other word the data of a business is its key to their current success and development and it must be kept safe in order to compete with rivals. Once this data/information is accessed by a third party, it can be used against the company. A major security flaw for businesses today is Internet. Many companies do not consider the security issues as much as they need for their online businesses and/or they do not try to monitor their security on a regular basis. Unfortunately they realize the problems once it is too late. “Sharing data is an increasing business activity. Company’s data is a key business asset that is very valuable. Its availability, integrity, and confidentiality may be critical for the continued success of any business. Business security can be breached in a number of ways, for example by system failure, theft, inappropriate usage, unauthorized access or computer viruses. The impact of a data security breach may be far greater than a business would expect. Not only will the loss of sensitive or critical business data directly affect a business’s competitiveness and cash flow, it could also damage reputation and have a long-term detrimental effect. It might take an organization ten years to establish its reputation and image as a trustworthy and reliable business but a security breach could destroy this in a matter of hours. Data also needs to be protected if the company wants to share it with other organizations. For many businesses, the Internet has replaced traditional paper based ways of exchanging data. It has enabled data to be sent and received faster, more frequently and in greater volume – not just simple text but also multimedia. Today it is quite common for companies to use the Internet for exchanging information and for e-commerce.”3 Recommendations for the Executive Management Team The company as we stated earlier in previous section, needs a security policy. Company is need for establishing security procedures including data monitoring periodically. Fixing the current issue in the shortest possible time and ensuring customers that their data would be safe and if any problem happens to their personal information, the company is ready to compensate. The text of the new policy, including new security considerations: “1.0 Purpose The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by Design Studio One. Effective implementation of this policy will minimize unauthorized access to Design Studio One proprietary information and technology. 2.0 Scope This policy applies to server equipment owned and/or operated by Design Studio One, and to servers registered under any Design Studio One -owned internal network domain. This policy is specifically for equipment on the internal Design Studio One network. For secure configuration of equipment external to Design Studio One on the DMZ, refer to the Internet DMZ Equipment Policy. 3.0 Policy 3.1 Ownership and Responsibilities All internal servers deployed at Design Studio One must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group, based on business needs and approved by Info-Sec. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing the configuration guides, which includes review and approval by Info-Sec. • Servers must be registered within the corporate enterprise management system. At a minimum, the following information is required to positively identify the point of contact: o Server contact(s) and location, and a backup contact o Hardware and Operating System/Version o Main functions and applications, if applicable • Information in the corporate enterprise management system must be kept up-to-date. • Configuration changes for production servers must follow the appropriate change management procedures. 3.2 General Configuration Guidelines • Operating System configuration should be in accordance with approved Info-Sec guidelines. • Services and applications that will not be used must be disabled where practical. • Access to services should be logged and/or protected through access-control methods such as TCP Wrappers, if possible. • The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements. • Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication will do. • Always use standard security principles of least required access to perform a function. • Do not use root when a non-privileged account will do. • If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec). • Servers should be physically located in an access-controlled environment. • Servers are specifically prohibited from operating from uncontrolled cubicle areas. 3.3 Monitoring • All security-related events on critical or sensitive systems must be logged and audit trails saved as follows: o All security related logs will be kept online for a minimum of 1 week. o Daily incremental tape backups will be retained for at least 1 month. o Weekly full tape backups of logs will be retained for at least 1 month. o Monthly full backups will be retained for a minimum of 2 years. • Security-related events will be reported to Info-Sec, who will review logs and report incidents to IT management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to: o Port-scan attacks o Evidence of unauthorized access to privileged accounts o Anomalous occurrences that are not related to specific applications on the host. 3.4 Compliance • Audits will be performed on a regular basis by authorized organizations within . • Audits will be managed by the internal audit group or Info-Sec, in accordance with the Audit Policy. Info=Sec will filter findings not related to a specific operational group and then present the findings to the appropriate support staff for remediation or justification. • Every effort will be made to prevent audits from causing operational failures or disruptions. 4.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 5.0 Definitions Term Definition DMZ De-militariezed Zone. A network segment external to the corporate production network. Server For purposes of this policy, a Server is defined as an internal Design Studio One Server. Desktop machines and Lab equipment are not relevant to the scope of this policy.”4 References Information/Data security, http://www.berr.gov.uk, viewed on April 14, 2008. server data security at http://www.sans.org/resources/policies/Server_Security_Policy.pdf Data security, a business manager’s Guide, available from http://www.berr.gov.uk/files/file9981.pdf, viewed on April 14, 2008 Read More