Sunteți pe pagina 1din 11

Running head: UNIT 6 ASSIGNMENT

IT541 Computer & Network Security


Unit 6 Assignment

By: Irik Ravenblade
IT541-01
Kaplan University
Professor: Dr. Lynne Williams
9/10/2013
UNIT 6 ASSIGNMENT 2

Part 1: Unit 6 Lab
Premier Collegiate School Risk Elements
There are numerous risk elements involving the Premier Collegiate School's IT assets,
including:
The school principal's notebook computer is used for personal tasks as well as school
business, providing an additional avenue for compromise (via malware, accidental
disclosure of student information, etc.); its use with social media sites further compounds
this risk. Additionally, there is a risk that the notebook computer (along with sensitive
data stored in it) may become lost or stolen. A well defined Acceptable Use Policy (AUP)
should be observed, security awareness training provided, user authentication required,
mandatory antivirus and patch updates applied, and encryption used to mitigate the risks
involved.
Students are required to possess laptops for wireless use on the school network, and are
vulnerable to the same risks as the principal's notebook computer; the security measures
listed above should be used.
The computers in the teacher's lounge are shared. In addition to restricted access to the
lounge, the computers should required separate user accounts and passwords, as well as
security and antivirus software.
The two file servers host sensitive data and mission-critical services. Servers should have
restricted physical and logical access, require regular maintenance and auditing, and
should be a part of disaster recovery planning.
UNIT 6 ASSIGNMENT 3

The computers in the computer science lab are shared desktops and should required
separate user accounts and passwords, as well as security and antivirus software.
The school network has wireless access. Although the network's wired access shares
similar vulnerabilities, wireless is particularly vulnerable to packet sniffing, interception,
and "piggybacking". It is recommended to disable SSID broadcasting and utilize network
encryption (at least WPA2) for wireless access. Both wireless and wired access should
use authentication and authorization, Firewalls, and ACLs, and have a monitoring and
auditing policy in place.
IT Asset Inventory Matrix
IT Asset Rank Domain FERPA Privacy Data
Impact
Assessment
10 Dedicated Admin.
Computers
6 Workstation
Yes. Security Controls include
Authentication, Access
Control Lists (ACLs), and
Permissions
Critical
Principal's Notebook
Computer
7
Workstation/Remote
Access
Yes. Security Controls include
Authentication, Access
Control Lists (ACLs),
Permissions, and Encryption
Critical
10 Shared Computers
(Teacher's Lounge)
12 Workstation
Yes. Security Controls include
Authentication, Access
Control Lists (ACLs), and
Permissions; Physical access
would be restricted by locked
entry
Major
Administrative File
Server
2 System/Applications
Yes. Security Controls include
Authentication, Access
Control Lists (ACLs), and
Permissions; Physical access
would be restricted by locked
entry
Critical
Dedicated Storage
(Admin. Server)
5 System/Applications
Yes. Security Controls include
Authentication, Access
Control Lists (ACLs),
Permissions, and Encryption;
Physical access would be
restricted by locked entry
Critical
Wired/Wireless LAN
access (Admin. Server)
8 LAN
No. Although Security
Controls would include
Authentication, Access
Control Lists (ACLs), and
Major
UNIT 6 ASSIGNMENT 4

MAC filtering
Network Devices
(Firewalls, Routers, and
Switches)
4 LAN-to-WAN
No. Although Security
Controls would include
Authentication, Access
Control Lists (ACLs), and web
filtering.
Critical
Student File Server 3 System/Applications
Yes. Security Controls include
Authentication, Access
Control Lists (ACLs),
Permissions, and Encryption;
Physical access would be
restricted by locked entry
Critical
Student Applications
(Student Server)
9 System/Applications
No access would be granted to
private data through student
applications, workstations, or
laptops; authentication would
be required to access student
coursework
Major
Wireless LAN Access
(Student)
13 LAN
No. Although Security
Controls would include
Authentication, Access
Control Lists (ACLs), and
MAC filtering
Major
Student Laptops 17
Workstation
* Remote Access (if
supported off-campus)
No access would be granted to
private data through student
applications, workstations, or
laptops; AUP would address
security controls and practices
for LAN or remote access
Major
25 Desktop Computers
(Computer Lab)
18 Workstation
No access would be granted to
private data through student
applications, workstations, or
laptops; authentication would
be required to access student
coursework
Minor
Student Records 1 System/Applications
Yes. Security Controls include
Authentication, Access
Control Lists (ACLs),
Permissions, and Encryption;
Physical access would be
restricted by locked entry
Critical
Lesson Plans 11 System/Applications
No, lesson plans would not be
student specific and would not
be covered by FERPA.
However, Security Controls
would include Authentication,
Access Control Lists (ACLs),
and Permissions
Major
Test Banks 10 System/Applications
Yes. Security Controls include
Authentication, Access
Control Lists (ACLs),
Permissions, and Encryption;
Physical access would be
restricted by locked entry
Major
Administrators 14 User Access would be granted Major
UNIT 6 ASSIGNMENT 5

according to role, and
disclosure to a third party
requires a consent form signed
by the student; Security
Controls would include
Authentication, Access
Control Lists (ACLs), and
Permissions
Instructors 15 User
Instructor access would be
limited to minimum
permissions required to
perform their duties; Security
Controls would include
Authentication, Access
Control Lists (ACLs), and
Permissions
Major
Students 16 User
Student would be granted
access with valid identification
and sign consent form
Major

Recommendations
1) Use the principle of least privilege for access control, and encryption for all sensitive
data.
2) Provide security awareness training to all users, and implement a comprehensive AUP
that includes password and Internet usage policies
3) Perform regular monitoring and auditing of network and system assets, and require up-to-
date software patches and anti-malware definitions.
UNIT 6 ASSIGNMENT 6

Part 2: Unit 6 Lab Assessment
1. Which IT assets did you prioritize as critical to administrative or student computing?
The IT assets I prioritized as critical to administrative or student computing included:
Student Records
Dedicated Administrative Computers
Administrative File Server
Dedicated Storage (on the Administrative File Server)
Student File Server
Network Devices (Firewalls, Routers, And Switches)
Principal's Notebook Computer
2. List your top five (5) risk exposures for which you believe this school should have
specific risk mitigation strategies.
My top five (5) risk exposures include:
1) Wireless LAN - Unauthorized access to LAN and network resources
2) Principal's notebook computer - may get lost or stolen; may be exposed to
malware; potential unauthorized physical access
3) Shared computers in the teacher's lounge - may be exposed to malware or
unauthorized physical access
4) Students' laptops - may get lost or stolen; may be exposed to malware; potential
unauthorized physical access
UNIT 6 ASSIGNMENT 7

5) Shared computers in the computer lounge - may be exposed to malware or
unauthorized use (Kim & Solomon, 2012).
3. Given the potential risks that you identified, what IT security policies would you
recommend be created by the school to help mitigate each of the identified risk
exposures you listed in #2 above?
Security policies to help mitigate identified risks include:
A comprehensive Acceptable Use Policy (AUP) should be implemented, including
security best practices for: effective authentication and authorization practices; proper
email and Internet use; prohibition of inappropriate content; observance of legal
statute or law; and prohibition on unauthorized disclosure of sensitive information.
and required system and security maintenance
Security awareness training should be provided to all users
Information contained on school systems should be classified, with sensitive
information stored and transmitted using encryption; Disclosure of sensitive or
confidential information is strictly prohibited
All desktop computers and laptops should be password protected, and should be
locked or logged off when unattended; sensitive information on laptops must be
encrypted.
Passwords should be alpha-numeric, contain special characters, and at least 8
characters in length; passwords should be changed at least quarterly. Accounts and
passwords must never be shared.
UNIT 6 ASSIGNMENT 8

All computers and laptops should use approved, up-to-date antivirus software, and all
software be up-to-date
Access control and permissions should use the least privilege principle
Regular monitoring and auditing of network and system assets should be performed
Network access controls should include mechanisms for authentication and
authorization, Access Control Lists (ACLs), and firewalls
Physical security should be implemented to secure mission-critical systems, including
a secured server room, locks on entryways to the teacher's lounge, monitored use on
the computer lab workstations, and video surveillance in key areas of the campus
(Dulaney, 2009; Kim & Solomon 2012).
4. True or False. FERPA Compliance law is about protecting the privacy data of students
including personal information, grades, and transcripts. The law itself defines a privacy
requirement but it does not specifically address security controls and security
countermeasures.
True. While the law defines the scope of privacy requirements, including provisions for
disclosure, it does not specify which security controls and countermeasures must be implemented
(Kim & Solomon, 2012).

UNIT 6 ASSIGNMENT 9

5. Given that student privacy data is typically housed within administrative computers,
systems, and databases, what can you do to mitigate the risk exposure that a student or
someone on the student or schools network can access these systems?
There are a number of security control mechanisms and practices that can be used to
mitigate the risk of exposure to unauthorized access. Access control with strong authentication
mechanisms can help secure student privacy data, such as Role-Based Access Control (RBAC)
combined with multi-factor authentication; access and computer/network activity should be
logged and audited regularly (Dulaney, 2009). Security zoning through access control lists
(ACLs) and virtual local area networking (VLAN) can be used to isolate sensitive data and
mission-critical systems; likewise, firewalls can be implemented as a perimeter defense for
school network systems, and can be used to create a demilitarized zone (DMZ) for providing a
buffer between the school systems and un-trusted networks (Dulaney, 2009). Additional
countermeasures could include physical security such as secured rooms, locked entryways, video
surveillance, and security personnel (Dulaney, 2009).
6. For a school under FERPA compliance law, do you think the administrative computing
or students computing network infrastructure is more important from a business and
delivery of education perspective?
In regards to FERPA compliance, the administrative systems hold higher priority because
they house or directly integrate student information, and support the network infrastructure and
services. Federal funding can be crucial for maintaining educational services and day-to-day
operations; in order to receive federal funding, Premier Collegiate School must meet all FERPA
requirements and protect its student records, particularly personally identifiable information or
UNIT 6 ASSIGNMENT 10

indirect information that can be used to identify a student (Kim & Solomon, 2012). By contrast,
student systems would be essential for maintaining the educational curriculum, but would not
have access to private student information with proper security zoning and access control
implemented, and therefore would have lesser importance in context with FERPA compliance.
7. The school monitors the use of student social networking on Facebook, MySpace, and
Twitter. What should the school define and implement if it wants to define acceptable
and unacceptable use of school IT assets, Internet, e-mail and use of personal laptop
computers on the schools network?
Premier Collegiate School should implement a comprehensive AUP in regard to the use
of school resources (including devices that connect to the school network). This AUP should
include best practices for email and Internet use; prohibition of inappropriate content or illegal
activity; and requirements for strong password policy, antivirus and software updates, and secure
account handling, as well as monitoring policies (Dulaney, 2009). In regard to social networking
activity, the AUP should also stipulate confidentiality requirements, and prohibit offensive or
illegal content and activity; additionally, the UAP should include times allowed (if any) for
personal use on the school network. Additionally, the AUP should require that all computers and
laptops connecting to the school network have authorized antivirus software installed and
regularly updated. Another mitigation technique includes security awareness education against
social engineering attacks (Stallings & Brown, 2008).


UNIT 6 ASSIGNMENT 11

References
Dulaney, E. (2009). CompTIA Security+ Study Guide. Indianapolis, IN: Wiley Publishing, Inc.
Kim, D., & Solomon, M. G. (2012). Fundamentals of Information Systems Security. Sudbury,
MA: Jones & Bartlett Learning.
Stallings, W., & Brown, L. (2008). Computer security: Principles and practice (2nd ed.). Upper
Saddle River, NJ: Pearson Education, Inc.