This report is about the XYZ Company which is a software development company and it holds a total of 2000 staffs that works in the company headquarters and the various branches, the main purpose of this report is to determine the main security threats to the company network systems and the possible threats mitigations methods.
After the analysis of the company information system the various information security risks will be determined and the research will be done in order to determine the information system safeguarding measures that can be applied to control the possible threats.
The XYZ Company is one of the software company and is currently having a total of 2000 staffs who are posted in the headquarter and the other branches in the country, this company serves various customers who requires the services and also the suppliers who supplies the company with some goods and services, however this company make use of the current technology where the information system is used to complete the transactions electronically between the company and the customers and suppliers.
In order to complete the electronic transaction the company had implemented the use of Google App Engine Server information system which mainly manages the internal and external application’s transaction and communication which are used by a large number of applications and trading partners, however the number of documents processed is about one million within one week period.
The XYZ company has various transactions and activities where the staffs deals with the customers’ requests and also requests some products and services from their suppliers online using the information system selected.
Therefore there are various businesses activities that are found in this company which are associated with some core functions, below are the main company’s business activities.
The customers use the online system and request for some services like software development and maintenance where they send requests online.
The employees in the information department receive the requests and they respond to the clients where they provide services or develop the software according to the specifications.
After the customers receives the developed software or service then make the payments though the online platform using paypal or visa cards.
The employees develop the software for the clients and test it to ensure it meets all the customer requirements, or they provide the requested customer services.
The company orders some services from the suppliers who include server vendors for hosting and developing some developed applications.
The suppliers are able to instantly receive the company requests and provide the services required and calculate the possible charges.
The supplies provide the services to company and indicate the details and the amount to charge the company.
Upon receiving the product or service the employee update the details on the system for future reference and for easy payment processing.
After delivering the services the suppliers submit the payment invoices to the company so that they can pay for the services provided.
The company through the finance officer authorization make the payments for the products or services that had been provided by the suppliers.
The XYZ software development company which is managed by the managers in various branches, however the organization is managed by various chief officers and the entire organization is headed by the following officers
The XYZ Company has three departments and each department is headed by the chief officers and these departments include the following.
Below are the entire organization and departmental organizational charts.
XYZ company organization chart
Organization Department Organization Chart Information Department Organization Chart
In the XYZ Company there are various assets that are meant to be used in order to complete the entire information system, below are the various company assets.
The various identified assets are associated to certain person or the organization who owns them, the table below shows the various assets and their associated owners.
|
Asset name |
Asset owner |
|
Laptops |
Customers, employees who use them to access the system. |
|
Client computers |
Customer, employees who use them to access the system |
|
Print Servers |
Xyz company information department for printing services. |
|
Application server |
Google company information department for hosting the applications. |
|
Database server |
Xyz company information department for holding the database system. |
|
Domain control server |
Xyz company information department for accessing the applications through the computers. |
|
File server |
Xyz company information department for storing and sharing the files to the system users. |
|
Web server |
Google company information department for internet and website hosting services. |
|
Proxy server |
Xyz company information department for internet and website hosting services. |
|
Custom application server |
Xyz company information department for internet and application hosting services. |
|
Exchange relay server |
Google company information department for efficient communication. |
|
Fire wall |
Xyz company information department to prevent any penetration to the system by the hackers. |
|
Switches |
Xyz company information department to connect various system devices |
|
Printers |
Xyz company information department for doing printing services |
|
Google app engine server |
Google company to host the Google applications as they are accessed by the users. |
|
USB hard drives |
Employees, customers to store some information and data in case their laptops develop problems they will be able to recover them. |
|
Email address |
Employees, customers use them to communicate by either sending or receiving messages. |
The company assets have various associated value which indicates the cost incurred while purchasing the various equipments and assets, the table below shows the assets and their associated values
|
Asset name |
Asset value in dollars |
|
Laptops |
It costs $240 and is highly sensitive as could lead to data loss. |
|
Client computers |
It costs $140 and is highly sensitive as could lead to data loss. |
|
Print Servers |
It costs $300 and is highly sensitive as it could lead to lack of documents print services. |
|
Application server |
It costs $300 and is highly sensitive as it leads to loss of applications. |
|
Database server |
It costs $300 and is highly sensitive as it leads to loss of important organization information. |
|
Domain control server |
It costs $300 and is highly sensitive as it leads to loss of important organization information. |
|
File server |
It costs $300 and is highly sensitive as it leads to loss of important organization files. |
|
Web server |
It costs $300 and is highly sensitive as it leads to destruction of website files. |
|
Proxy server |
It costs $300 and is highly sensitive as it leads to poor communication in the organization. |
|
Custom application server |
It costs $300 and is highly sensitive as it leads to loss of important organization’s application data. |
|
Exchange relay server |
It costs $300 and is highly sensitive as it leads to loss of important organization data. |
|
Fire wall |
It costs $250 and is highly sensitive as it leads bypass to system by hackers. |
|
Switches |
It costs $120 and is highly sensitive as it leads to disconnection of entire information system |
|
Printers |
It costs $160 and is highly sensitive as it leads to lack of printing services. |
|
Google app engine server |
It costs $300 and is highly sensitive as it leads to corrupting of organization’s applications |
|
USB hard drives |
It costs $10 and is highly sensitive as it leads to loss of important employee’s data and information. |
|
Email address |
It costs $20 and is highly sensitive as it leads to loss of important employees data. |
(Laplante, 2013).
There are various threats that target the various assets in the company and their likelihood varies depending on the assets, below are the various possible assets threats and their likelihood to happen.
The xyz company information system has various weak points that are used as the vulnerabilities that can be exploited by the system threats the table below shows the various vulnerabilities and their likelihood to happen.
|
Vulnerabilities |
Asset name |
likelihood |
|
Unsecure Server’s certificate |
Servers |
High since the unsecure servers can be accessed remotely by the hackers. |
|
Easy to Bypass of the security protocol |
Email address, Laptops ,computers and servers |
High since the hackers can guess the password and access the user’s information. |
|
Social engineering |
Email address. |
Low since rarely will the intruders access the personal email login details. |
|
Prone to Malware attacks |
Laptops ,computers and servers |
High since the antimalware installed is not updated and requires being up to date to prevent attacks. |
|
Prone to Key loggers |
Laptops ,computers and servers |
Low since the antimalware installed is not updated and requires being up to date to prevent attacks. |
|
Prone to Trojan horse attacks |
Laptops ,computers and servers |
High since the malware installed is not updated and requires being up to date to prevent attacks. |
|
Poor physical gates and doors |
Laptops ,computers and servers |
High since poor gates and doors will give thieves access to the organization assets and steal. |
|
Exposure of personal email |
Email address |
High since the malicious attackers will access email address and send threat messages to the employees. |
|
Lack of updated antimalware software |
Laptops and computers |
High since the antimalware installed is not updated and requires being up to date to prevent attacks. |
According to the various threats discussed there are various risks that are associated to them and they tend to have negative impact to the company and the people associated to them, below are the major risks that can occur to the company information system (Karumanchi, 2012).
The xyz company has various risks associated to it and they all have different impacts to the company as described in the table below.
|
Risk |
Level of Impact |
|
Loss of physical items |
High |
|
Access to CEO sensitive information |
High |
|
Harassment of employees |
Low |
|
Corrupting the information |
High |
|
Illegal access to email information |
High |
(Goyal, 2011).
In order to mitigate and prevent the risks from occurring in the system there are various controls and safeguard measures that can be implemented and for this case the ISO 27002 is used.
The ISO 27002 is an information security standard that was published by the international organizations for standardizations and the International Electro-technical Commission (IEC) which mainly states the various security techniques to be used to secure the information technology systems and for our case the ISO 27002 is enforced through the following measures (Standardization, 2013).
After the implementation of the control and safeguard measures the risks likelihood to happen is referred to residual likelihood, however there is limited chance of risks occurring in this case as indicated in the table below.
|
Risk |
Likelihood of occurrence |
|
Loss of physical items |
very low as the items organization will be more secured and no intruders will be allowed in. |
|
Access to CEO sensitive information |
Very low as the CEO will be provided with strong and unique passwords which are not accessible by other people |
|
Harassment of employees |
Very low as the employee’s emails will only be shared by relevant employees and management team. |
|
Corrupting the information |
Very low as the system will be guarded from the malware infections and thus securing the information. |
|
Illegal access to email information |
very low as the employees will have privacy of unique passwords to use while accessing their emails. |
(Gupta, 2015).
After implementation of the control and safeguard measures there will be an impact to the information system depending on the control and safeguard measures placed as indicated in the table below.
|
Risk |
Residual Severity level of Impact |
|
Installing the antimalware software. |
Very high as the application will protect the attack of the information system by the malwares |
|
Fitting physical gates and strong doors. |
Very high as it will bar any illegal entrants into the organization offices. |
|
Using strong passwords to access information system |
Very high as it will protect any unauthorized access to the system. |
|
Updating the system firewall to prevent network bypass |
Very high as it will protect the penetration and bypass to the network protocols by the hackers. |
|
Using information backup system |
Very high as it will enable restoration of the data in case is lost or corrupted. |
|
Using strong email address passwords |
Very high as it prevents the unauthorized users from opening the employees email addresses. |
After implementation of the control and safeguard measures the risk level is reduced highly and none will have high level of occurrence as in the table below.
|
Risk |
Residual risk levels |
|
Loss of physical items |
Very low as the physical barriers like doors and gates are fit well and prevents intrusion. |
|
Access to CEO sensitive information |
Very low as there will be use of strong password to access sensitive CEO information. |
|
Harassment of employees |
Very low as the employees emails will be reserved for the management and good employees. |
|
Corrupting the information |
Very low as the system will be installed with antimalware that will prevent malwares from corrupting the information. |
|
Illegal access to email information |
very low as the employees and the CEO will have unique and strong passwords to access their emails. |
(Award, 2013).
Reference
Award,E.(2013). Systems Analysis and Design .Delhi: Galgotia Publications Pvt Ltd.
Gupta,B.(2015). Power System Analysis and Design.New Delhi: S Chand & Company.
Goyal, A. (2011). Systems Analysis and Design Paperback.INDIA:Prentice Hall India Learning
Private Limited.
Karumanchi,N.(2012).Peeling Design Patterns: For Beginners and Interviews.New
York:CareerMonk Publications.
Laplante,P.(2013). Real-Time Systems Design and Analysis: Tools for the Practitioner.New
Jersey:Wiley.
Singh,B.(2016). Systems Analysis and Design.Delhi: New Age International Private Limited.
Wixom,D.(2016). Systems Analysis and Design. New Jersey: Wiley publishers.
Standardization, I.O. (2013, January 1). Information technology Security techniques Code of
Practice for information security controls. Retrieved from
https://www.iso27001security.com/html/27002.html
Stewart, J.M. (2015, September 15). CISSP (ISC)2 Certified Information Systems Security
Professional Official Study Guide. Retrieved fromhttps://www.amazon.com/dp/
1119042712/ref=cm_sw_r_cp_ep_dp_ibAbAb0DTVC2H
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download