This question has been answered
Question

Scenario: -

 

HELMA Finance Company is one of the leading finance companies in Australia and provides its services to a number of corporate clients. The information relating to the financial activities of all the clients is of immense importance for the company and the business relies on the trust developed for customers in regard of the integrity of the information. HELMA has always tried to provide best possible solutions to protect its information. The company's head office is situated in the CBD while it has regional offices in Geelong and Ballarat. All the employees know the importance of the information on which they are working, along with the integrity and the security implemented on the information system and the network. All the employees and users accessing the information work on the following principles:

  • Consider the sensitivity of the information they handle
  • Protect information in proportion to its sensitivity by ensuring that information, whatever its format, is secured by physical or approved electronic means
  • Ensure that they take appropriate action within the appropriate procedures when there is a breach of policy

For the security and integrity of the information substantial information security measures have been implemented. The company also have well defined Information Security policies and procedures and all the employees are obliged to follow these policies and procedures. Information security is of great importance to the company to ensure compliance with legislation and demonstrate that the Company understands and applies proportionate guidance and process to recording, storing, processing, exchanging and deleting information. Should this not be achieved the Company can risk, at worst, the safety of individuals, loss of financial information, breach of commercial confidentiality and subsequent financial penalties from the clients.

 There are three main principles to the information security policy:

 · All staff must consider the sensitivity of the information they handle.

 · All staff must protect information in proportion to its sensitivity by ensuring that information, whatever its format, is secured by physical means (such as locking paperwork away or appropriately archiving it when no longer current) or by using approved electronic means (such as only using Company IT equipment).

· Managers must ensure this policy is applied within their areas of work and should also lead by example. This policy is mandatory.

 Any breach of the policy may result in disciplinary action being taken under the Company's Disciplinary Procedure. Any breaches of security (non-compliance with this Policy) must be reported to the Information Technology Department.

The mandatory requirements of this core policy is based on the three elements of information security as per the Australian Information Security legislation:

·        Confidentiality: ensuring that information is only accessible to those authorised to access it

·        Integrity: safeguarding the accuracy and integrity of information and processing methods

·        Availability: ensuring that authorised users have access to information and associated assets when required.




It is the policy of the company to ensure:

·        Information is protected against unauthorised access.

·        Confidentiality of information is maintained.

·        Information is not disclosed to unauthorised persons through deliberate or negligent action.

·        The integrity of information is maintained by protection from unauthorised modification

·        Information is available to authorised users when needed.

·        Regulatory and legislative requirements are met.

·        Contingency plans are produced and tested as far as is practicable to ensure business continuity is maintained.

·        Information Security training is provided for all staff.

·        All breaches of information security and suspected weaknesses are reported, investigated and appropriate action taken.

·        Sharing of information with other organisations/agencies is permitted providing it is done within the remit of a formally agreed information sharing protocol.

·        That there is a fair and consistent approach to the enforcement of standards of conduct expected from employees when using social media sites.

·        Security incidents must be reported within two business days

·        Incident report must be completed if you lose or damage any ICT equipments  


The IT infrastructure is updated according to the requirements of the information security. But the main threat is to the network of the information system. The information system comprises of Data Servers, Server for Financial ERP suite, desktops, Laptops, Cisco Routers and Switches all connected in LAN at head office and also a WAN is established for the connectivity across the head office and regional office. The IT department is responsible for managing the whole network and Allen-Network Engineer specialises in the implementation of the IT resources across the network.


The Information Security Officer along with the Network Engineer ensures that all the users follow the policies and procedures related to network security. The Users/Employers are supposed to oblige by the personal device policy especially those who use their personal hand-held devices or laptops should not bypass the network security policies.

Personal device policy includes:

·        Home worker strictly use home network or pocket Wi-Fi provided by the organisation

·        Do not download unauthorised software's and files

·        Do antivirus check for all the external data storage devices

·        Do not type your password in the computer

·        Do not share your password with anyone

·        Change computer and other devices password within 60 days

Also, no such personal email IDs to be used, social network sites have already been blocked also downloads to any personal drives or torrents are strictly prohibited. System policies to prevent these personal downloads and uploads have already been implemented on the networked resources using the authentication server. Failure to oblige information security policy will result in strict actions. Also, if any user/employee comes to know about any information leakage or breach, he/she needs to inform the IT department or by filling the online form of security incident reporting.


For better security across the network and information system along with the mitigation of the attacks at Layer 2 and 3, the services of Mcgrath have been acquired. He is the new Information Security Officer-ISO. Mcgrath will be responsible for implementing information security and maintaining the secure network environment.

The job description of Mcgrath includes the following:

·        Actively ensure appropriate administrative, physical and technical safeguards are in place to protect network from internal and external threats

·        Meticulously identify, introduce and implement appropriate procedures, including checks and balances, are in place to test these safeguards on a regular basis

·        Make it a priority to see that disaster recovery and emergency operating procedures are in place on network and tested on a regular basis

·        Act as the committed owner of the network security incident and vulnerability management processes from design to implementation and beyond

·        Define and implement secure network configuration baseline standards

·        Support and administer firewall environments in line with Network security policy


While the Job description of Allen the Network Engineer includes:

·        Establish the networking environment by designing system configuration, directing system installation and defining, documenting and enforcing system standards

·        Design and implement new solutions and improve resilience of the current environment

·        Maximise network performance by monitoring performance, troubleshooting network problems and outages, scheduling upgrades and collaborating with network architects on network optimisation

·        Undertake data network fault investigations in local and wide area environments using information from multiple sources



Activity 1: (Analysing Network Security System Requirements)

After having the detail look at the scenario given above, you need to analyse the requirements for the Network Security System requirements for the company including the following:

·        Purpose

·        Network security requirements

·        Physical security requirements

·        Computer security requirements

·        Mobile workers and home Workers

·        Use of the internet

·        Security Incident Reporting

You may need to research related to network security requirements on the internet. You must complete the network security requirements template given below for the company as a part of the activity.

HELMA Network Security Requirements


Purpose




Network Security Requirements





Physical Security Requirements








Computer Security Requirements







Mobile workers and home Workers









Use of the internet




Security Incident Reporting






Answered by Expert Tutors
Step-by-step explanation
The student who asked this found it Helpful
Overall rating 100%
Scenario: - HELMA Finance Company is one of the leading finance companies in Australia and provides its services to a number of corporate clients....
Get unstuck

261,329 students got unstuck by Course
Hero in the last week

step by step solutions

Our Expert Tutors provide step by step solutions to help you excel in your courses