Security Plan for Small Networks/Offices

Security Plan for a Small Office or Home Network (P4/P5/P6/M3/D2) Ajay Jassi

A security plan in IT is a document that is produced by management, to show how an organisations implement security measures. This is done to protect and secure systems in the industry.

Purpose

The purpose of a security plan is to show procedures the business are doing reflecting to security towards the systems and data. This contains vary of security measures, daily procedures and plans. This mostly relates to a business that uses mostly online communication via email, and video calls. However other methods are used as well via phone, and face-to-face. This can be an example of any organisations which require IT a lot.

Security

These are the following security procedures and devices that are currently in place:

Physical protection: Three working CCTV cameras are setup around the outside of the site, mainly focusing on the entrances/exits. However there is no security officer on-site, and the footage from the cameras are checked every week by the manager and when necessary.

Virus protection: All computer systems have got Norton’s free anti-virus software trail, which has a month left on it. After the trails are over, the manager is attending to install AVG’s free-antivirus software trail.

Spam-filter software: K9 spam-filter software is installed on the computer systems by one of our employees who is currently still training to become qualified. However the software crashes frequently and is becoming unreliable as it works sometimes.

Password security: All desktops computers have a strong password, which follows the password policy. The desktops have the same password, which is very complicating therefore is written on a piece of paper which is stored in the employee staff room. However none of the laptops have a password, as they a secured in a safe when not in use.

Updates: Most of our computer systems have a full version of Windows 7 Ultimate, and some have got Windows XP. The Window 7 systems are updated which has been scheduled automatically to install the important updates. The Windows XP systems don’t update automatically and cannot connect to Microsoft, the problem is still unsolved.

Wireless networking: We have a router which allows anybody to connect to the internet, there is no password security on this and is open to anyone in the business.

Backups: All our computer systems have a separate partition with only a backup image file on it. This contains all personal and private information to the business. We currently have no other backup techniques for the business, but are thinking about storing it on portable hard-drives.

Firewalls: A built-in firewall is turned on which was pre-installed with the Windows 7 Ultimate’s. The ISP routers seem pretty secure, however it disconnects sometimes at least once a week. A technician is sometimes required to be called in to fix it.

Assets:


The business has many assets which aren’t only IT systems and data, however these are one of the main one’s. The assets need to be secured, as they are private for the business and shouldn’t be known with other businesses and anyone outside of the business. This requires the employee to trust and employee reliable staff. These are the following assets:

Computer systems, servers, and data Other electrical essential throughout daily business. (printers, telephone and

broadband) Business secrets and personal details/information Customers Databases(business documents) from suppliers and customers Software used for business (security, office suites, advance software, etc.)

Risks

1. Physical threats Theft Damage Arson

2. Computer security threats Malware Hardware failure and system crashes Spam Viruses

3. Information threats Private data Secrets of the business Fraud

4. Natural threats Tsunami Floods Earthquake Hurricane

Security measures

1. Protection Backups Encryptions Employees

2. Prevention Firewall and Antivirus Operating systems (up-to-date) Removal of data

3. Administration controls Access control


Permission control Webpage restrictions

4. Storage on Cloud

Protection

Backups: Backups are used to ensure that data is secure, and can be recovered quite accessibly if damaged or lost. Backups can be stored on a cloud base server, a hard drive, and removable portable devices, such as portable hdd, memory sticks, discs (dvd/cd). For extra protection, the hard-drive and (or) the portable device can be taken to a storage warehouse, which is securely locked up with high end security such as 24/7 CCTV and extremely strong steel all around the safe and the site. It is ideal to have many backups in different forms, as this will ensure extra protection from losing data, as a backup device may also get damaged, lost or stolen physically.

Backups should be scheduled either automatically or manually daily, so that the backups are updated, as data important data could be gone in seconds from the threats.

Encryptions: Encryptions are used to secure phases and words that are used across the business to each other to keep thing private and personal, so it cannot be read by others outside business. These encryptions can be very hard to crack and is time consuming, therefore isn’t really worth doing, as business may just use it to be secure all the time. However if the encryption is cracked this shouldn’t be much of a problem as continental information shouldn’t be shared on there.

Encryption are also used on portable devices and files, which only certain organisations can use.

An encryption contains its original message and large amount of other characters consisting of numbers, letters and symbols.

Employees: Employees in business should have good training, from professional trainees who know what they are doing and are reliable. This ensures that the employee knows how to act, behave and work in the IT industry keeping safe, and making sure that security is considered. Many employees in IT don’t know what they are doing from bad training, and poor behaviour towards the work. This is often in businesses which don’t have a strong IT team/crew. An example of this can be a business like Costa Coffee, as their main priory is customer service and selling customer goods (beverages). A business like this doesn’t use much IT as they don’t sell products/services online and use simple computer systems in their shops and stalls.

It’s important to ensure that employees have correct policies, that maybe more fair or more strict depending on their work and (or) progress. These policies can be a case of firing an employee or rewarding the employee with bonuses. The purpose of these is to make sure progress in the business is made and there to protect them and personal data such as names, addresses, contact numbers, etc.


Limiting access for employees in a business is essential, so they don’t have full control over the systems and cannot change any setting that may possible affect the system for business or general usage. Limiting access could also mean limiting software and hardware. This is similar to permission control.

Prevention

Firewall: Firewalls are used to manage organisations internet and permission control whilst using web browser and surfing the internet. These are used to filter out what can be authorised or what cannot be.

These can be done separately on each computer system, or can be done as a server in the network for all the computer systems in site and connected to the server. It is more ideally to use a server based filter as it more reliable and is easier to manage as a technician doesn’t have to go around sorting each system individually.

Microsoft operating systems such as Windows 7 have a built-in firewall, which can be enabled as well as on severs and on hubs, to ensure extra protection.

Antivirus: Antivirus software are used to prevent threats such as viruses and spyware. Behind a spyware is someone classified as a ‘hacker’. The hacker can have access into the computer systems, allowing them to view and read data. These affect a business as personal information and private data such as customer databases are known, which is against the data protection act. These hackers could be in the situation of being in a court sentence, if caught.

Viruses could affect the computer system and business in many ways as there are many threats. An example maybe that the virus doesn’t allow users to use the internet, which will affect the business as they relay of the internet for everyday activities such as emails.

Having a reliable paid subscription antivirus is the best way to keep safe, as this includes features which free and trial products don’t include. These subscriptions can be brought in bulk for all the computer systems in the business, which will be cheaper than buying each one separate. It is also important to run the software everyday so if threats are found they can be removed easily. This would also keep the systems running smoothly and fast.

Operating systems: Operating systems have security feature built-in which protects the computer systems. These include features such as firewall, patches and constant updates.

It’s important to keep operating systems kept up-to-date, as new features are added which keeps security secure and running. Updates can be updated automatically which is recommended, however can be done manually or scheduled by choice. To change these settings administration rights are required.

Removal of data: When removing data, it is very important to ensure that the data is fully gone, and cannot be recoverable. Data can be wiped from a hard drive from deleting the data from wipe unities. Another method is by psychically destroying the hard drive, by doing this the hard drive will not be reusable.


The best way to get rid of data on a hard drive, is by doing a full wipe, and then physically destroying it with a mallet/hammer. This is so the hard drives are not at risk of being reused, as data may not having been removed from different compatibilities and errors, and therefore at risk if sold to someone else or reused.

Administration controls

Access control: Access control allows the administrator to restrict other user’s controls and usage over the computer systems. This can by not allowing users to go in the control panel, changing settings, personalising systems or any modifications that may possibly affect the computer system for daily business usage by employees. An example of this can be by changing the mouse setting, the keyboard setting and the font settings which isn’t normal and (or) ideal for employees to use.

It is ideal for the employer to limit control over the systems to employees, to keep everything running smoothly and to ensure that they can’t change any settings that could affect the entire business, such as turning off the firewall.

Permission control: Permission control is used for administrators to only allow users to use or access something with permission only. The permission in computer system cases is an administrator password. The permission controls can be used for software, updates and for downloads. This is to prevent employees getting viruses and threats on the computer systems, as they may not concentrate or have the correct training to make them no aware of viruses they are downloading.

Permission controls should be used, as this wouldn’t allow employees to do whatever they want on the computer systems.

Webpage restrictions: In workplaces/schools networks are restricted on the internet, so employees/student cannot access whatever they want and do whatever they want, that isn’t related to work. An example can be a business blocks gaming websites, so that employees can’t play games, and do the set work instead. However this shouldn’t have to be required in a business, as if an employee is caught playing games during working hours the employer could immediately fire them.

Webpage restrictions such as social media should be blocked as employees will often want to keep updated and will look on their mobile phones, which are connected to the organisations servers and network for communication such as emails and free calls and messaging. Example of these apps are Viber and WhatsApp.

Cloud storage

Backup data online is very useful as the risks are low from the data being lost or stolen, as it is very hard to hack big organisation such as Dropbox, Google and Microsoft. The benefits from having backups online is that it will save the business money, instead of having their own storage service which can be very highly expensive to maintain and repair. Also if data is lost or stolen the fault relies on the online organisation. However a major disadvantage is that an internet access is required at any time when files want to be read or copied.


Accounts for the organisation should also have a strong password, which is unique to any other in the business following the password policy.

A trustworthy organisation which offers the best services is Google, as they offer large amounts of storage for reasonable prices. However if the business is a Microsoft corporative, having backup storage with them will offer benefits such as reduced costs and extra services.

Security improvements/Action list

1. Install more CCTV cameras inside and outside the building site of the business.2. Installing an alarm system for the business building site.3. Lock down the systems to desks/ground, using security cables.4. Purchase an updated antivirus subscription and configure it on all the computer

systems.5. Install a better and more reliable spam filter software, which Microsoft recommends.6. Create separate user account for each employee and create different passwords for

each using the password policy. 7. Purchase and configure the same version of Windows 7 onto the systems which

don’t currently have it, or upgrade all the computer systems to Windows 8. 8. Schedule the system to automatically update patches and software.9. Create a secure password for the wireless network using the password policy

securing it with WPA2.10. Setup an additional backup onto a portable hard drive, and secure it into a safe.11. Protect data with a storage unit organisation, as this option is very secure as security

is taken care with 24/7.12. Backup data online using a reliable organisation, such as Google and (or) Microsoft. 13. Update the ISP router to the latest version which is compatible with the networks,

servers and computer systems.

Implementing and testing

Firewall

As seen in the screenshot, the firewall is activated to the network ‘JASSI’, this means that no viruses or threats have affected the computer system over a time period. The firewall therefore runs smoothly and is protecting the system from any upcoming threats.


Antivirus software


As seen in this screenshots the computer system is secured with a paid subscription McAfee Total Protection. The antivirus software also has extra features as seen, such as a built-in firewall, parental controls and backup protection. The screenshot was taken after an updated scan, which shows the computer is clean and secure.

Backups

As seen from the screenshots the system is scheduled to backup selected data every week at a certain time, and day of choice. This can be changed to ever hour or day or month if wanted. Personally I think once a week is ideal, as this shouldn’t be the only method of backup. This screenshot was taken before the backup was performed. Backups can also be restored using the recovery utility underneath.

Cloud Backup

As seen from the screenshot Dropbox is being used to store data on the cloud. A desktop version has been downloaded from the organisation’s official website, which makes it easier to view, copy and store data. This is done by a simple drag and drop structure, which is very fast and user friendly. An account for this is required and an annually payment of how much storage is needed which varies in price. As shown the files upload to the server very quick, as the green tick’s means the files are up to date. This is also shown on top of the recently changed tab.


Operating systems

Firstly Windows searched for updates automatically. This was changed in the settings to make important updates install automatically as users may forget to manually check for updates. Two important updates were found and automatically started to install in the background with awareness from the user.

After the updates were installed, a notification came up after telling the user that the updates were successfully installed without any errors. This shows that the Microsoft servers are working, which shows it is reliable therefore would want users to use their other services such as their storage cloud, and office suite which helps business. To ensure that the automatic and scheduled updates worked, after updates were checked manually and as seen there is no important updates that are available.


Permission access

Permission access for limiting times, software and games can be changed in the family safety settings in the user accounts control panel. This is a simple way to manage what a user can do and what they cannot do. As seen in the screenshot the program limits are on and the games rating is at no games. This means that the user would only be able to use certain software and application without permission of an administrator.

Webpage restrictions


Webpage restriction can be done by using Windows Live Family Safety which is built-in Windows 7. This feature can be enabled underneath the parental control settings. This requires an administrator logging into a Windows email account to manage the user on the computer system.

Once the account is logged on, the administrator may manage other features as well, which is already in the parental control that doesn’t require logging into an email account.

These settings can be personalised by aspirations, but the best method would be by having an allow list only, as users will still have some sort of freedom on the internet if on any given option. It is also recommend to block the user downloading anything, as it may be a threat to the computer system.

Evaluation


The firewall and anti-virus software worked brilliantly compared to before where there was only simple features in a free trial. This will ensure that threats are removed if any quickly. These extra features will benefit users as it will give them less hassle finding out a method to be secure. An example of this is the built-in webpage safety feature.

Cloud storage is one of the best method of backup, as the data is safe from being physically damaged, as they are saved on many servers internationally, therefore if UK’s servers for the organisation gets corrupt/ruined there’s many backups to be recovered from.

Permission and restriction controls for the organisation worked well, as employees got on with the work progressing for the business and all the computer systems are still running smoothly without them being able to do much.

Overall the security plan, was a huge improvement towards the organisation as they didn’t start off with much security that was very effective. Now that these security measures are taken, the business will have a lower chance of threats. However the plan isn’t perfect and there could have been some improvements on the way it has been approached. An example of this could have been doing the security features in a network/server form, instead of doing it individually on each computer system.

Technology

Security Plan for Small Networks/Offices