Documente Academic
Documente Profesional
Documente Cultură
Term Paper
Student’s Name
Institutional Affiliation
THE ROOKIE CHIEF SECURITY OFFICER 2
Introduction
Information security is an important element of any firm that has IT infrastructure and
operations from external and internal threats. As companies become increasingly reliant on
technology for efficiency and innovation, it is necessary to ensure that their investments do
not result in reputation and financial losses. Furthermore, the constantly evolving threat
Organization Chart
CIO
The Chief Information Officer is the highest IT related role in the digital forensics
uninterrupted investigations.
The CISO works to develop and verify the specifications of security policies
policies conform to regulatory and industry standards thereby minimizing data and litigation
risk.
THE ROOKIE CHIEF SECURITY OFFICER 3
Personnel in this role provide forensic investigators with details regarding the
technical aspects of the existing IT system, and the underlying components. They can also
IT Security Engineer
This role involves developing the data security policy which provides details about
Security Manager
The security manager provides details about the existing physical security systems for
IT Privacy Professional
IT Procurement Specialist
The IT Procurement Specialist works to procure hardware and software assets for the
organization. They use their industry expertise to select the most optimal vendors based on
from the security manager, procurement professional, and a privacy professional at the lower
levels. These positions identify them as responsible for the successful implementation and
maintenance of policies from higher organizational levels. Through their participation in their
THE ROOKIE CHIEF SECURITY OFFICER 4
ensures delivery of optimal security measures as it increases their engagement in the process.
THE ROOKIE CHIEF SECURITY OFFICER 5
Since the company has no prior expertise in managing the security for complex IT
infrastructure, it would like to solicit for qualified vendors to provide the required IT services.
The vendor’s primary role will be developing security processes and programs that secure the
firm’s information systems. Given the current expansionary strategy of the business and a
desire to future proof the infrastructure, the solution should cover both logical and physical
security of the IT systems. The solution provider should also provide a means for secure
Vendors interested in fulfilling the roles defined above will have to fulfill several
Since the organization’s IT structure is distributed across various regions and offices,
The vendor should also provide employee training on how to use the solution in
The vendor should also provide after sales technical support to deal with challenges
Once submitted, the proposals will be analyzed and a short list of qualified suppliers will
furnishing details on how the proposed solution would cover them adequately
The vendors will also have to demonstrate technical competency in the use of
The pricing variations between vendors for different parts of the project
defenses established. Gaps in the physical barriers of an IT system may facilitate direct
network access for intruders which would bypass most logical measures thereby
compromising company data. Furthermore, physical access increases the risk of damage or
loss of information as intruders have increased leeway for their malicious activities.
In this case, the physical protections will form the first line of defense against external
threats. The adequacy of provided solutions will depend primarily on the construction of the
building housing the physical IT hardware. The architectural design should also consider the
expected use and security requirements. Ideally, the building walls and fence should be made
of reinforced concrete. The windows should be located high and barred to prevent
unauthorized entry from outside. Additional preventative measures include electrified fencing
above the perimeter wall. Furthermore, data centers and other industrial server spaces require
continued ventilation which necessitates a stable power supply. There should also be clear
processes and procedures concerning emergency events such as fire, earthquakes, and floods
Physical access restrictions will also help in securing IT assets in the form of building
access controls such as RFID tags, biometric chips and smart cards. All employees will have
implemented for the areas requiring additional security such as server and telecoms rooms
with access limited to few personnel. This can be implemented through a combination of
smart cards and either fingerprint or facial scans of the authorized personnel which limits the
security risk.
THE ROOKIE CHIEF SECURITY OFFICER 7
The final aspect of physical security involves the facility surveillance which will be
maintained throughout. The video surveillance should cover all possible entry points and can
aid it identifying suspicious activities in addition to providing a reference point for forensics
investigations. The facility will have CCTV cameras placed at multiple angles throughout the
facility. These wil include perimeter walls, rooftops, entrances, and walkways. There will also
be a centralized control room operated by qualified technicians. In some areas, cameras will
include additional features such as infrared, pan tilt, and motion sensing to minimize the
physical security risk while covering blind spots effectively. The identification and resolution
of blind spots will require extensive testing of camera coverage after installation. Moreover,
motion detectors linked to silent alarms should be installed stealthily along critical areas or
In addition to the above physical facility features, the compound will also require
adequately qualified security personnel for patrolling. These personnel will be responsible for
monitoring traffic into and out of the building and should provide fast responses when motion
In the last five years, there have been numerous reports of data breaches on
enterprise databases which has heightened awareness about the evolving nature of cyber
threats. Therefore, the Board of Directors has requested a robust security plan and policies. At
the network’s perimeter, the new system should have a demilitarized zone (DMZ). This will
THE ROOKIE CHIEF SECURITY OFFICER 8
be a logical subnetwork that will expose the organization’s services to the Internet to facilitate
secure remote access. The DMZ provides an additional security layer for the local network as
external users can only access authorized content in the DMZ. In case of intrusion, the DMZ
will also provide additional time to identify and respond to breaches before they compromise
internal networks. For the organization, the services most vulnerable to external attacks
include email, Domain Name System (DNS) servers, and the local area network.
Infrastructure in the DMZ can only have limited connectivity to particular hosts in the
internal network with communication occurring over secure encrypted channels. Therefore,
the DMZ will host the application firewall. A Classified Militarized Zone (CMZ) will be used
to host the Web servers among other services that interface to the Internet that do not form
part of the DMZ but may have sensitive information. Internet-facing components will
communicate via HTTPS port 443 which provides improved security through encryption. Wi-
Fi networks within the organization’s offices and facilities will restrict internal access to
authorized employees only through WPA security which employs a temporal key integrity
Rapid technological innovations present new attack vectors for malicious users.
anticipated threats. Most organizations achieve this through contracting third party
penetration testers that attempt to infiltrate network defenses through identifying and
exploiting weaknesses. The testers then provide recommendations on how the vulnerabilities
regarding security and strategy that has managerial support. In this case, the organizational
THE ROOKIE CHIEF SECURITY OFFICER 9
policy aims to achieve three main goals: restricting access to data and information assets to
data and IT systems, and ensuring availability where users can access information when
necessary. In developing these policies, the NIST SP 800 provides industry standards for the
safeguarding of enterprise systems while the PCI DSS provides guidance in securing payment
solutions.
The authority and access control policy will help in maintaining the confidentiality
of data. Usually, security policies follow a hierarchical pattern where lower level employees
cannot share their limited information unless directly authorized. On the other hand, senior
managers may authorize sharing decisions. Essentially, employees will have authority over
their own work while project managers would can access files related to groups in which he
is participating. In some instances, users may need to access confidential data for effective
performance of their roles which requires granularity in the data attributes to facilitate
authorized access.
The organization will also maintain resource access logs for each server that they
manage. These logs include system access logs (for both successful and unsuccessful login
events), operating system access logs (which cover invalid attempts to access operating
A comprehensive audit trail should be maintained of all activities that are carried out within
the system. A system event logging tool should keep a detail of these activities to be produced
to a security auditor. Apart from reviewing the implementation of guidelines like those
mentioned above, a security auditor should also review all security measures in place
including access control permissions for users. An audit trail can provide an organization with
THE ROOKIE CHIEF SECURITY OFFICER 10
an overview of how it system operations and can help in tracking past events should forensic
The most unpredictable security factor for any information system is its users and
therefore also its biggest liability. It is very difficult to contain employee activity at all times.
However, conducting regular security training sessions with the employees should
considerably reduce the risks to the system posed by them employees can jeopardize security
either through deliberate or inadvertent actions. Training can help in preventing the
occurrence of the latter while the former will require an effective monitoring system that
cultivated among the employees so as to co-opt them into looking out for the security of the
Defining the security needs of the organization will be done in accordance to duties,
staffing, training, and processes. The steps followed in doing so will be as follows.
Employee security credentials will be set to only have access to information that is
The staffing of the various departments will play apart in determining the type of
security needs in them. Manufacturing will for example need to be provided with only
the latest threats. This training will be aimed to all employees in every department as
There being various processes that are carried out within the organization, they will
all be ranked in accordance to their importance. The most important and critical
THE ROOKIE CHIEF SECURITY OFFICER 11
processes will be provided with the highest level of security available. These include
Effective risk management requires that those responsible understand all the potential
avenues of risk. Whichever way the risk might be presented, it is necessary that all measures
be taken to be prepared for every one of them identified. The preparation could take the
direction that is fraught with incomprehensible risks. This requires that a risk has to
have been identified first and the organization determine that it lacks ways to
surmount it. This is a preemptive measure that should shield the organization from
Risk can transferred to a third party if the organization cannot avoid a risk and lacks
the capacity to handle it. Best practice has been to transfer the risk to an underwriter
like an insurance company. Once they have taken on the risk, they get to absorb its
The organization can take on the risks itself by putting in place mitigation measures.
This way, it can face the risk but control them such they do not cause the organization
as much as they would have otherwise. Since the risks will obviously vary, the
risk mitigation, the organization is willing to take the brunt of a risk to a certain
THE ROOKIE CHIEF SECURITY OFFICER 12
extent. Usually, this will be to gain a fair understanding of it as they work to handle it.
(Layton, 2016).
When risks materialize, they can be indiscriminate in the extent of damage they cause.
However, an organization can really control the damage if they have their priorities defined.
These priorities take the form of the most critical processes of the organization. These
processes should they be severely affected would cause the most damage to the organization.
As such, they take precedence when it comes to setting priorities and they are accorded for
risk management resources over the rest. A sound risk management strategy then becomes the
one that has been anchored in effectively taking care of the organization’s most important
channels and valuable data like financial, client records and other processes that are central to
the organization’s continued operations. The risk management strategy will outline the
biggest risks facing them and the best possible way to handle them should they materialize.
With these priorities in place, an organization might still experience the effects of a risk but
limit get to them to the less important or urgent parts of its operations.
Effective risk monitoring will take shape with both technical and management
controls in place. The management will take an administrative position by ensuring the risk
monitoring apparatus has at its disposal the necessary resources. These resources can come in
the form of financial, personnel, authority and other requisite support. Risk monitoring is
departmental heads support it. This can be ensured by efforts from the management.
Technical controls to accurately monitor risks will be anchored by frequent risk audits, and
effective early warning mechanisms. Risk audits provide the state of the system and will
identify the strengths and weaknesses of the organization. The audit results will then lead to
THE ROOKIE CHIEF SECURITY OFFICER 13
efforts to plug those weaknesses identified. System event logging can be used to provide a
baseline of normal activity. Any change in this baseline then becomes the early warning
mechanism that alerts to potential risks. The technical efforts at risk monitoring only become
successful when the management has provided an environment for it to be so. (Peltier,
2016).
References
IT Security Essential Body of Knowledge (EBK). (n.d.). Retrieved November 29, 2016, from
http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2007-12/ISPAB_Dec7-
BOldfield.pdf
NIST SP 800-39, Managing Information Security Risk. (n.d.). Retrieved March 2, 2016, from
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for