CONFIDENTIAL â€ƒ Executive Summary The purpose of this report was to assess the newly installed networking environment at XYC Ltd. Limitations of this report are existing due to the writer not being present before or during the installation of the new system therefore relying upon the information provided by those with limited technical skills. The scope of this report is primarily focused on the networking environment and the associations with employees. Strategies that will provide longevity to the business are also provided throughout the report to assist management in making more informed decisions. An assumption is made that the internet service provider (ISP) is Telstra. The project background discusses information that has been provided by the staff and owner of XYC Ltd. Project scope was realised as an overhaul of the entire system at the four branches located at Brisbane, Gympie, Maryborough & Nambour. The project goal was to provide a streamlined approach to the business operations that would enable staff to have the tools that would support the ever expanding customer base. Strategic alignment of the networking project was identified using a SWOT analysis that illustrated that the strengths and opportunities far outweighed the weaknesses and threats. Network Security identified that due to the new installation of the networking equipment, there was more threat that could be recognised through employee shortfalls. People, policies and products need to be used in a cooperative effort to support and protect the business effectively. Therefore, employees and implementation of polices are imperative in securing data. Due to the use of Telstra as a ISP, it can be determined that a safer external network can be relied upon when using these services. However significant concerns are presented through the allowance of wireless local area network and bring your own device as data stealing can occurring in both circumstances. Hardware purchases recognises the importance of procurement strategies that ensure the networking environment has minimal disruptions. It is inevitable that networking equipment will fail, be susceptible to loss or damage however the business can plan for such instances where the impact is not so harmful to productivity and efficiency of the organisation. A business can plan for acquisitions by creating an asset register, preferred supplier lists and emergency plans so that in the event of disaster, employees can react by referring to the appropriate plans. Other important considerations areuser feedback and reviews that can provide insightful information into how software and hardware is being used. Business continuity provides insight into how the business can plan to ensure endurance of the business. The first consideration is to do with the backup procedures of the organisation. Backups that are accomplished to the cloud can provide an effective option that also combines an essential resolution which is to store backups offsite. This is vital if issues relating to physical security can be identified. Other considerations are to ensure disaster recovery plans are instigated and physical security of the internal environment are implemented. Succession planning is also discussed which identifies the people who can take over key roles within the business and making plans that ensure the organisation continues as usual. Risk management provides details about how XYC Ltd can approach risk situations such as identifying risk categories and descriptions. Implementation of security policies is a major factor that requires execution to protect the assets of XYC Ltd. The policies can also have other beneficial effects such as illustrating organisational strategy and expected behaviours of employees. Training and awareness programs will help support the policies of the organisation in many ways by having a preventative action that reinforces user practices and compliance. Integration technology is also discussed through the use of platform as a service (PaaS) or mashups however security and interoperability issues may exist that require further research. Recommendations that this report has provided include implementation of policies and procedures that support the business strategy and business continuity and incorporate security considerations for data protection. Limitation of mobile devices and wireless LAN should be initiated until additional security protections can be applied such as captive portal access points, rogue discovery tools and mobile device management. An asset register needs to be created and managed to support organisational strategy, empower business continuity and support risk management processes. Cloud based backup systems will provide a reliable offsite solution for the organisation. Initiating a succession plan that identifies who will take the role of key employees if they are unexpectedly not able to attend work. Finally, deployment of a training and awareness program for employees that involves management of security and risk situations is of high importance to support all of the above recommendations. Table of Contents Executive Summary i 1.0 Introduction 1 1.1 Authorisation 1 1.2 Limitations 1 1.3 Scope of report 1 1.4 Assumptions 1 2.0 Project background 2 2.1 Network project background 2 2.2 Network project scope 2 2.3 Network project goal 3 2.4 Strategic alignment of network project 3 3.0 Network Security 4 3.1 Securing data 4 3.1.1 People, products, policies and procedures 4 3.1.2 ISP security and privacy considerations 5 3.1.3 Other threats to data 5 3.2 Mobile device security 6 3.2.1 Wireless Local Area Network (WLAN) attacks 6 3.2.2 BYOD risks 6 4.0 Plan for hardware purchases 7 4.1 Acquisition of new hardware 7 4.2 End user feedback and reviews 7 4.3 Purchasing strategies 8 4.4 Asset register 8 5.0 Business Continuity 9 5.1 Data Backup 9 5.2 Physical security 9 5.3 Succession planning 10 6.0 Risk Management 11 6.1 Security policy 12 6.2 Training and awareness 12 6.3 Integration technology 12 7.0 Conclusion 14 8.0 List of recommendations 15 List of references 16 Bibliography 17 1.0 Introduction 1.1 Authorisation This report has been prepared on request of the owner of XYC Limited (Ltd) for the purpose of evaluating the new system with an interest in the cohesiveness of the new system and compliance with regulations such as privacy. 1.2 Limitations This report is limited by the information provided to the writer from persons with limited technical skills. 1.3 Scope of report This report communicates to the circumstances of XYC Ltd and relates to the systems being used at present at the four locations being Brisbane, Gympie, Maryborough and Nambour. The report will explore the issues related to newly established networking environment, the associations between the network and the employees and strategies that will enable the business to perform efficiently and effectively while complying with privacy regulations. 1.4 Assumptions It is assumed that XYC Ltd has the Internet Service Provider, Telstra, suppling ADSL to all the premises located at Brisbane, Gympie, Maryborough and Nambour. 2.0 Project background Reflection on the project background is necessary for identification of issues challenging XYC Ltd. The owner of the organisation hasconcentrated significant capital into upgrading the information system and is apprehensive as to whether information security and privacy are being upheld. Investigations into the new information system were performed identifying why the project was necessary, the scope of the project, expectations and alignment of project with strategic goals. 2.1 Network project background The information system has been recently upgraded in order for management and employees to better manage the natural growth of the business from the initial site located at Nambour. The purchase of competitorâ€™s operations at Gympie and Maryborough and the opening of a new store at Brisbane has served to increase sales objectives and it became necessary to upgrade existing systems that would better support the organisation. Issues that
were identified giving need for the information system upgrade included customer dissatisfaction, inefficiency in productivity and inaccurate stock control. The business has little technical staff therefore the shift to the new information system has been a learning experience for all employees. The project also resulted in additional staff being recruited to support the change more effectively. 2.2 Network project scope The project involved implementing a distributed database at each location and web based systems for stock control, customer management and accounting. Internet connection via ADSL (Asymmetric Digital Subscriber Line)was also established with a modem and switch that incorporates wireless for staff to connect to via a BYOD (Bring Your Own Device). The project was designed to suit the four locations and the staff with plans to expand operations further in the future. There is approximately eighteen staff employed currently with the prospect of hiring an additional staff member to the Brisbane office for sales representation that may require remote access. The business currently has no policies and procedures in place to help the business owner to control the operations of the business. 2.3 Network project goal The project goal was to provide management and staff with the tools required to facilitate the ever expanding customer base. The first objective was to deliver an inventory control system that would be accessible by all employees, accurate and reliable. Another objective was to support customers by providing staff with a customer focused applicationthat could deliver accounts receivable. The project required upgrading all of the stores with the required networking equipment and installing a network that is suitable to cope with the needs of the organisation. It was also necessary to be able to upgrade how staff dealt with customer relationship management by applying a CRM system and a website to support the products the business has available for sale. 2.4 Strategic alignment of network project The intentions to upgrade the information system can be identified using an evaluation of the business environment in the form of a SWOT analysis. Table 2.4 has demonstrated that instigating the upgrade of the information system was the logical next step. It can be determined that the rapid growth of the business and the realised benefits of providing the workforce with valuable tools indicates a sustainable business plan. The table also validates that strengths and opportunities far outweigh the weaknesses and threats in this circumstance. Table 2.4 SWOT analysis of network project Internal POSITIVE NEGATIVE Strengths Weaknesses â€¢ Expanding customer base â€¢ Improving sales targets â€¢ Staff who know customers â€¢ Cloud based software that allows growth â€¢ Dedicated staff â€¢ Staff that are inexperienced in computerised systems â€¢ Lack of policies and procedures â€¢ Lack of technically qualified staff â€¢ Insider threat External Opportunities Threats â€¢ Connect with customers using intelligent systems management â€¢ Increase market share â€¢ Hire a sales representative â€¢ Integration of systems â€¢ Staff empowerment â€¢ Competitors agility â€¢ Information leaks 3.0 Network Security In assessing the network at XYC Ltd, one approach may be to evaluate the network devices, network technologies and design.As the entire network equipment is newly purchased, the focus will move to addressing one of businessâ€™s weakest links or greatest threats, the employees. Safeguarding information is possible through technologies and appliances such as subnets and virtual local area networks however a virus or malware contamination is still possible if an employee introduces an infected USB or unsecure application on mobile devices (Ciampa 2015). Securing data and mobile device security through internal controls are discussed in more depth in the following sections. 3.1 Securing data XYC Ltd has experienced significant growth in a short time and the introduction of the new information system has brought new responsibilities to the XYC business environment. One such obligation is to ensure the data is protected. Management of the information security can be applied through various arrangements that can be either internal or external (Ciampa 2015). Internal approaches should be applied in three layers which include people, products and the implementation of policies and procedures.Ciampa (2015) provides that the three layers interrelate with one other so that people can use the procedures to enable them to know how to use the products that safeguard the information. 3.1.1 People, products, policies and procedures As the information system at XYC Ltd predominatelyrelies on using the internet, the introduction of policies and procedures is imperative. Policies and procedureswill alsoassist technicians by providing the rules on how the network should be configured (Ciampa 2015). Rules relating to device security can be established such as those relating to the router, which is considered the most important networking device in the network (Ciampa 2015). Policies can also be applied to staff for the storage and accessing of data, usage of digital technologies and dealing with customer information (Queensland Government 2016). 3.1.2 ISP security and privacy considerations As XYC Ltd depends heavily on the internet to operate the business, assurance thatthe ISP (Internet Service Provider) is suppling a secure WAN (Wide Area Network) that will safeguard against infection of viruses and malware is also a consideration worth mentioning. The BigPond Network delivers a secure network by applying a feature that removes any bad traffic associated to botnets which will reduce the effect of cyber-attacks (Telstra 2016). Confidence in relation to the online security of information exchange with payment systems can be maintained when using the current ISP. 3.1.3 Other threats to data A major threat to any organisation is employees. Due to many of the staff at XYC Ltd having limited technical knowledge of information systems, this indicates there is a greater chance of harm being caused either intentional or not (Crawford et al 2005). To secure company data, major industry leaders have recognized best practices that can be embraced by small business (Crawford et al 2005). Table 3.1.3 has identified the nine of the most important security measures to protect computer networks (Crawford 2005). Table 3.1.3 Best practice for network security in small business 1. Install and properly configure a firewall 2. Update software 3. Protect against viruses, worms and Trojans 4. Implement a strong password policy 5. Implement physical security measures to protect computer assets 6. Implement company policy and training 7. Connect remote users securely 8. Lock down servers 9. Implement identity services (intrusion detection) (Adapted from: Crawford et al 2005) 3.2 Mobile device security Mobile devices have become a necessary inclusion to small business however there are significant risks that are not always considered when first implemented. Mobile devices are great for mobility, productivity and flexibility however issues such as limited physical security, application downloading and access of untrusted content are a concern (Ciampa 2015). Small businesses are often more agile about innovative approaches to technology because owner operators can often see the problem areas and react quickly (Harris & Patten 2013). However, small business is also less likely to adopt a security stance that would give adequate protection that could prevent the financial losses (Crawford et al 2005). Following are some concerns that XYC Ltd can deliberate about wireless local area networks and bring your own device risks. 3.2.1 Wireless Local Area Network(WLAN) attacks Currently there are many staff at XYC Ltd that are connecting wirelessly with a mobile device such as a laptop. The risk of such an environment is significant as the asset that holds the most value is very attractive to those who wish to steal or damage
vital information (Gupta & Hammond 2005). Capturing wireless data is one of the most common enterprise attacks external of the enterprise while rogue access points and evil twin access point are internalised (Ciampa 2015). WLAN attacks can be overcome by proper configuration of devices and employee training programs. 3.2.2BYOD risks Currently XYC Ltd enables staff to connect to the wireless network located at each office using their own device. While this option is practical to XYC Ltd as it relieves the business of additional financial constraints, there are risks associated with such a position (Ciampa 2015). Personal devices may be shared among non-corporate users which may expose delicate information (Ciampa 2015). Other concerns include introduction of malicious software that may infect the network or varying devices with different varieties of operating software that can make security baseline formation difficult to initiate (Ciampa 2015). BYOD should not be implemented without ensuring that minimum requirements are upheld on the personal devices and training programs embed an awareness in staff about data safekeeping and protections. 4.0 Plan for hardware purchases Planning for hardware purchases is vital if XYC Ltd wants to have an advantage over competitors. There are important reasons for having a procurement strategy that recognises the important services that keep the operations of the organisation working. Research provides that businesses who align strategic and purchasing orientation have demonstrated increased performance financially and operationally (Batenburg et al 2015). Although hardware purchases can place a financial burden on small businesses such as XYC Ltd, it can be prepared for the unexpected by having contingency plans in place to ensure continuity of the operations. 4.1 Acquisition of new hardware A hardware purchase may be inevitable due to failure, loss or damage. This may especially be a concern because Gympie store is located within a flood prone zone. It may be that XYC Ltd have deferred the risk by insuring the assets of the businesses (Ciampa 2015). However, to be prepared for such a circumstance, XYC Ltd can create and maintain an asset register, emergency plans, budget forecasts, reviews, strategies, policy and procedures.This will empower staff found in the unforeseen position to know what needs to be done to overcome the situation, minimise disruption andany loss of productivity. 4.2 End user feedback and reviews Understanding how employees are using the hardware should be incorporated into the planning of hardware purchases. There may be instances where software applications may not be performing adequately due to outdated or overburdened hardware (Computer Weekly 2002). There also could be security concerns that may be highlighted through a review, such as applications that have downloaded without userâ€™s consent and are running in the background (Crawford et al 2005). By scheduling reviews, end users have the opportunity to provide an evaluation of the performance of hardware thereby providing a more informed decision making process for management (Haring ND). A review process will also allow for management to identify any other potential risks discussed later in section six (Ciampa 2015). 4.3 Purchasing strategies Integrating procurement strategies that suit the business is important to align with strategic alignment. Ensuring there is enough money or access to finance to purchase hardware and safeguarding cash flow requires careful forward planning.Small businesses like XYC Ltd are more likely to have high levels of communication which indicates a better alignment with strategic positioning (Batenburg 2015). Also, the management of XYC Ltd may wish to take advantage of opportunities to buy hardware at reduced prices therefore identifying preferred suppliers and understanding the businesses requirements through the asset register is highly encouraged (Haring ND). 4.4Asset register Identification of the assets are not only necessary for accountants, as protection of IT assets is also highly recommended. IT assets are often being added or replaced, making the job of keeping track difficult (Ciampa 2015). However, an asset register can serve many purposes such as in knowing when replacement hardware may be due or serve to assist with risk assessment (discussed later in section six). The machines in table 4.4 located at Nambour and Maryborough consisting of four counter desktops and two laptops that are highlighted may be due for review or replacement. Table 4.4 Identification of IT assets Office Machine Age Asset effective life Replacement due Nambour 2 Counter desktops 4 years 4 years Yes 2 Counter desktops 2 years 4 years 2 years 2 Laptops 2 years 2 years Yes Accounts desktop 1 years 4 years 3 years Networking equipment New 5 years 5 years Distributed database New 5 years 5 years Brisbane 3 Counter desktops 6 months 4 years 3.5 years 1 Management desktop 6 months 4 years 3.5 years Networking equipment New 5 years 5 years Distributed database New 5 years 5 years Gympie 2 Counter desktops 3 years 4 years 1 year 1 office desktop 6 months 4 years 3.5 years Networking equipment New 5 years 5 years Distributed database New 5 years 5 years Maryborough 2 Counter desktops 5 years 4 years Yes 1 office desktop 6 months 4 years 3.5 years Networking equipment New 5 years 5 years Distributed database New 5 years 5 years (Adapted from: ATO 2016) 5.0 Business Continuity The information system upgrade saw the implementation of cloud based applications MYOB, SalesForce and TradeGecko which gave the business an excellent way to manage the business growth and continuity. However other considerations that may need reflection include data backup, physical security and succession planning discussed in the following sub-sections. How a business reacts to disruptive events and its elasticity are important concerns that should be addressed and planned for in advance. In the event that a disaster strikes or a key employee is suddenly injured and unable to return to work, strategies that are forward planned will prove rewarding (Ciampa 2015). 5.1 Data Backup XYC Ltd has implemented the use of various cloud computing software applications which eliminate the need for backups of these applications. However, the data that is the result of daily POS transactions and any other non-cloud application is the responsibility of XYC Ltd. Ciampa (2015) recommends storing backups offsite to ensure if a situation occurs that destroys an onsite back up, business could continue. Queensland Government (2016) makes the endorsement that a cloud based backup system can be incorporated that ensures the most valuable and often irreplaceable asset can be stored offsite and protected from possible loss. This type of backup provides a cost effective and efficient method of data storage that doesnâ€™t require maintenance of physical backups. 5.2 Physical security Physical security can be affected by the external and internal environment. XYC Ltd premises is located in areas that have the potential to be affected if a significant event occurred such as floods, power outages, network failures or road blockages. Disaster recovery planning can overcome such instances by providing staff with a detailed plan that can be applied in such events that enables the business to continue to function (Ciampa 2015). Another consideration is physical security of the internal environment that will protect business assets from one of businesses greatest threats, the insider (Greitzer&Hohimer 2011). Insider threats can be overcome with strategies that will be addressed in the following section, risk management. 5.3 Succession planning It is expected that employees will sometimes not be able to attend work but what would happen if that key employee was to get injured unexpectedly (Ciampa 2015). It is of high importance that XYC Ltd plan for such events, especially if that person was the owner. Planning should incorporate identifying those roles that are mission critical to operational and financial factors of the business and appointing persons t
d business continuity and incorporate security considerations for data protection. Recommendation 2: Limit the use of mobile devices and wireless LAN until additional security protections can be applied such as captive portal access points, rogue discovery tools and mobile device management. Recommendation 3: Create and manage an asset register to support organisational strategy, empower business continuity and support risk management processes. Recommendation 4: Implement a cloud based backup system that will provide a reliable offsite solution for the organisationâ€™s backup so employees at each site do not have to be responsible for physical backups. Recommendation 5: Initiate succession planning that identifies who will take the role of key employees if they are unexpectedly absent and implement strategies to monitor, support and evaluate potential candidates. Recommendation 6: Deploy a training and awareness program for employees that involves the management of security and risk situations particularly those associated with transactions. List of references Australian Taxation Office (ATO) 2016, Taxation RulingTR 2016/1, Australian Taxation Office, viewed 6 October 2016, . Batenburg, RS, Mikalef, P, Pateli, A, Van De Wetering. R 2015, â€˜Purchasing alignment under multiple contingencies: A configuration theory approachâ€™,Industrial Management & Data Systemsvol. 115, no. 4,pp. 625-45, doi: 10.1108/IMDS-10-2014-0298 Ciampa, M 2012, Security + guide to security fundamentals. 5th edn, Cengage, Boston. Chang, E, Dillon, T, Wu C 2010, â€˜Cloud computing: Issues and challengesâ€™, 2010 24th IEEE International Conference on Advanced Information Networking and Applications, pp. 27-33, doi: 10.1109/AINA.2010.187 Crawford, M,Horstmann, B,Keller, S, Powell, A &Predmore, C 2005, ‘Information security threats and practices in small businesses’, Information Systems Management, vol. 22, no. 2, pp. 7-19, viewed 20 October 2016, . George, E 2013, â€˜5 steps to planning for internal successors in a small business environmentâ€™, Journal of Financial Planning, vol. 26, no. 8, pp. 21-23, viewed 16 October 2016, . Greitzer, FL, &Hohimer, RE 2011, â€˜Modeling human behavior to anticipate insider attacksâ€™, Journal of Strategic Security, vol.4, no. 2, pp. 25-48, doi:http://dx.doi.org.ezproxy.usc.edu.au:2048/10.5038/1944-0418.104.22.168 Gupta, A&Hammond, R 2015, â€˜Information systems security issues and decisions for small businesses: An empirical examinationâ€™, Information Management & Computer Security, vol. 13 no. 4, pp. 297 â€“ 310, doi: 10.1108/09685220510614425 Harris, MA&Patten, KP2014, â€˜Mobile device security considerations for small- and medium-sized enterprise business mobilityâ€™, Information Management & Computer Security, vol. 22, no. 1, pp. 97 â€“ 114, doi:10.1108/IMCS-03-2013-0019 Queensland Government 2016, Key components of a digital strategy, Queensland Government, viewed 16 October 2016, . Telstra 2016, â€˜Broadband securityâ€™, Telstra Corporation, viewed 18 September 2016, . Bibliography Australian Taxation Office (ATO) 2016, Taxation RulingTR 2016/1, Australian Taxation Office, viewed 6 October 2016, . Bandyopadhyay, S, Ghalsasi, A,Marston, S, Li, Z& Zhang, J 2011, â€˜Cloud computingâ€”The business perspectiveâ€™,Decision support systems, vol. 51, no. 1, pp.176-189, doi: 10.1016/j.dss.2010.12.006 Ciampa, M 2012, Security + guide to security fundamentals. 5th edn, Cengage, Boston. Check Point Software Technologies Ltd 2006, Check point introduces new Safe@Office unified threat management appliances with integrated ADSL modems; easy-to-manage appliances allow internet service providers to provide security protection and connectivity in a single solution, Business Wire, 16 May 2006, viewed 18 September 2016,. Computer Weekly 2002, â€˜Easy guide to purchasing PCâ€™sâ€™, Computer Weekly, February 2002, viewed 19 October 2016, . Chang, E, Dillon, T, Wu C 2010, â€˜Cloud computing: Issues and challengesâ€™, 2010 24th IEEE International Conference on Advanced Information Networking and Applications, pp. 27-33, doi: 10.1109/AINA.2010.187 Crawford, M,Horstmann, B,Keller, S, Powell, A &Predmore, C 2005, ‘Information security threats and practices in small businesses’, Information Systems Management, vol. 22, no. 2, pp. 7-19, viewed 20 October 2016, . George, E 2013, â€˜5 steps to planning for internal successors in a small business environmentâ€™, Journal of Financial Planning, vol. 26, no. 8, pp. 21-23, viewed 16 October 2016, . Greitzer, FL, &Hohimer, RE 2011, â€˜Modeling human behavior to anticipate insider attacksâ€™, Journal of Strategic Security, vol.4, no. 2, pp. 25-48, doi:http://dx.doi.org.ezproxy.usc.edu.au:2048/10.5038/1944-0422.214.171.124 Gupta, A,Hammond, R, â€˜Information systems security issues and decisions for small businesses: An empirical examinationâ€™, Information Management & Computer Security, vol. 13 no. 4, pp. 297 â€“ 310, doi: 10.1108/09685220510614425 Haring, B ND, â€˜Hardware purchasing strategy for a companyâ€™, Houston Chronicle, viewed 19 October 2016, . Harris, MA, Patten, KP , â€˜Mobile device security considerations for small- and medium-sized enterprise business mobilityâ€™, Information Management & Computer Security, vol. 22, no. 1, pp. 97 â€“ 114, doi:10.1108/IMCS-03-2013-0019 Mikalef, P, Pateli, A,Batenburg, RS, Van De Wetering. R 2015, â€˜Purchasing alignment under multiple contingencies: A configuration theory approachâ€™,Industrial Management & Data Systemsvol. 115, no. 4,pp. 625-45, doi: 10.1108/IMDS-10-2014-0298 Queensland Government 2016, Key components of a digital strategy, Queensland Government, viewed 16 October 2016, . Telstra 2016, â€˜Broadband securityâ€™, Telstra Corporation, viewed 18 September 2016, .