Security for a company

I have been asked to evaluate a network for security threats and provide solutions. Egos, a catalogue sales company is medium in size with 50 users on the network. They have broadband connection available to all users. We are not interested in the network hardware here, so we must assume that all the hardware is set up and configured correctly.

Login

In this company there are many threats to the data as they are medium in size with 50 users on the network. As they have broadband connection available to all users there is no internet in the network in the company. So they have to assume that all the hardware is set up and configured correctly. However, there is no security in place. So, with 50 users in the company and with no private no login to the network each person can go into each others computer and look at their documents and files. Therefore, this means that there is no confidentiality. Also this means that nothing is safe as other users can detect other people’s files or documents if they need to make space for their work. In addition to this the fact that there is no private log in means there is a high risk of viruses. Without individual usernames and passwords the boss will not been able to keep track of individual’s usage. Therefore it is better for all 50 users within the company to have their own usernames and passwords.

The company should set up a log in system which involves the staff to have a unique individual user name and password so only they can access their files. Having individual accounts for each staff member on the computer means they will have their only setting which means that each person will have their own email and access to their own documents. However, it is important that the password has a variety of uppercase and lowercase letters and contains at least one symbol and number so no one will get it. Also, having their own user name means documents will be safe and also management can give each person a level of access to different documents or files. For example the boss will be allowed to view all documents and the first level would have only access to the document they need. As there were it is good to have a login to the computer as it stops people from giving out information which they should not have in the first place. By having a login in allows management to keep track on each computer and let them know who is on it and at what time. Here is an example of what it look like.

Internet

With the business having the internet unrestricted means there will be an increased risk. It can lead to the internet causing trojans, viruses, malware and worms etc which means systems will be destroyed and this will mean that more money would need to be spent on the computer getting fixed. Also this means that there will be distractions for the employee as there will be no work done. The company will need to install firewalls and anti- viruses onto the computers. By doing this it will check the information that comes from the internet, network and other either blocks that the user goes depending on. Also the company can put blocks on the internet.  

Staff are allowed to install and remove software .

When staff install and remove software this can cause major problems. When staff members download software they could be downloading viruses and software that they don’t need. The viruses could destroy a document that is already saved onto the company hardware as this could be a very important document. The computer can crush, destroy systems/ illegal download may lead to the company being fined. By removing software the company will have to reinstall it which will cost the company a lot of money as the software is expensive. This means that the company will have to fork out more money to pay for each license for all the software they have to install back in.

To help this from happing the boss can get an IT technical team set up internally to install the software that they need to do the work on. Therefore they can get software or take in a policy to stop staff from download and removing the software.

The company must have their data backed up more than once a month as there will be a lot of document lost and very important data can be accidently deleted can’t be restored as there is no copy of it. Therefore this will waste the staff time as they will have to type up all the data up again.

In additional to stop information getting lost the company can backup their work daily so there will not be work deleted accidently and there will be a back up version as well.

Data tapes are kept secure in a locked plastic box on top of the server.

The danger of this is that the heat of the server can make the plastic box melt. Therefore, this would mean that the data within the box could be destroyed and the company would lose all their data which includes customer’s details.

Also, when the plastic box melts it may also destroy the server as the plastic might stick to the server and a fire may start. In additional by having the box on top of the server means that anyone can get it and it can be open easily.

To prevent this from happening the company should lock the data in a fire proof box as this wouldn’t melt and the data would be more secure.

As the company keeps records in a database of all the customers it holds very important information such as

.  purchases

.  account numbers

.  bank details

. customer names and addresses

.  purchase history

. All staff has access to the above database information.

.  Occasionally the manager has overheard staff discussing account details with other suppliers.

. On more than one occasion he has heard staff providing address information to others over the

.  telephone.

Mean while all entire staff members can get a hold of the information on the computer which they are able to pass on to other company. This means that there will be a lot of breaching of confidentiality laws and the data protection act. When a person breaks the data act they can be fined or jailed. As the data protect act was up dated in 1998 to help creates a register for individual that hold personal information holding of other such as doctor. Within this act there are eight principles which are

·         Personal data must be obtained and process fairly and lawfully.

·         Personal data must be held only for the purposes which the data user has declared.

·         Personal data must not be used for purposes other than those which have been declared.

·         The personal data kept for the declared purpose must be relevant, adequate, and not excessive in relation to that purpose.

·         Personal data should be accurate and kept up to date (where appropriate).

·         Personal data must not be kept longer than is necessary for the purpose for which it is held

·         What data is held on him or her and, where appropriate, to have such data corrected or erased.

·         Appropriate measures must be taken to prevent unauthorised access, or modification of personal data.

Therefore the act has three kind of individual which personal data is held.

Data Subject = This means the personal that has the information eg doctor, employer etc

Data Users = This means that the people who are allow to see the data or who is holding the data.

Computer Bureau = This means the third party which as the data on behalf as other.

To stop this from happening the company will have to have staff training, proper procedures and set up different access levels to folder's on the system. 

As the company has all the email available this means that everyone can see the information that is on the email. For example if the email had the new payment for each staff member on it and each staff had a different payment. Therefore if all staff could see this could start trouble. Also if everyone could see the email there would no be a confidential in the work place. This means that there can be personal information on the email.

To stop this from happen the company can give each employee their own email address so this stop each person able to look at an email.

As the IP address logs are not kept of the sites that are been visited by the company as there are unable to keep track of what website the worker are using in the company. Therefore they will not be able to find out what website is letting all the viruses in to the computer and who is doing it.

To stop this from happen the company should keep track of all the different types

The company has entrance door which are not protected by keypad as this is a threat not only to the data by to the hardware as a person could walk in when no one is there around. Therefore this could mean that they take the equipment such as computer, printer, scanner, mouse, speaker etc. The effect of this is that the company would lose all their equipment that they spent a lot of money on. 

To avoid this company could get a scanning lock so that the doors only open when the staff member swipes their ID cards on it.  Also the company may only let some staff member in it which when need the equipment. They can put camera out and inside the room so they can see who is going in and out.