GLOBAL FINANCE

Write an assignment on GLOBAL FINANCE, INC. (GFI)

 

GFI SECURITY RISK ASSESSMENT

The main purpose of this SRA is to decide the quantitative and qualitative estimation and evaluation of the risks identified with IT and the risk of security vulnerabilities. This risk evaluation will give suggested security upgrades and examination of GFI's cybersecurity. Because of the constant dissatisfaction and outsourcing of their IT office, GFI has confronted numerous capabilities influencing the association's security.

Background

Global Finance, Inc. (GFI) is an open/public organization that represent considerable authority in financial administration, approvals of loan application, credit or loan for wholesale, and support for investment management for its clients. GFI used to manage a huge number of accounts in Canada, Mexico, and the United States, it has an employment of 1,600 individuals and claims sustained annual growth of around 8% or8% or somewhere. Nicely composed management technique has been made to feature GFI in Fortune Magazine on a scale of operational execution by innovation and automation in the Technology.
In the past several years, GFI has encountered various cyber-attacks, resulting in revenue loss of over $ 1.700,000 and inevitable client trust. Oracle database server was hacked during 2012, and the database of customers was lost availability for seven days. All the confidential data was hacked by hackers. Although we re-established the Oracle database server on the Web, because of the security lost organization's notoriety was damaged. This is one of the reasons for CEO John Thompson to worry about cyberattack, for which the strategy of success is accessible on the privacy and integrity of the organization. 
Due to the increase in the dependency of operation of technology and with the decreasing footprints hired me as manager of computer security. I was reporting directly to Mike Willy who was Chief Office at Operations. However, I and CEO know the value and importance of IT in the business plan, outsourcing IT to third parties and cutting these services can be very harmful to the privacy and security of the company. 
The recent mistake of GFI has increased significantly in crossing network traffic in the internal network, the origins of traffic are not identified even by a network engineer. To protect business intelligence, confidential data of company and information of customers properly, an SRA is presented. 

Purpose

SRA is done to estimate risks in direct contact with IT security vulnerabilities and threats. GFI will allow its policies and procedures to be analyzed to determine the assessment, to reduce the report of an acceptable risk reduction. The report which will allow the risk assessment to address issues identified with threats and vulnerabilities, which is a risk to privacy, integrity, and availability. This will help in the identification of security of the company, records of customers, intelligence, strategic planning and the vulnerabilities that exist in the process and control. SRA will demonstrate the possible effect of issues, weaknesses and standard risks. In the end, it will allow the existing security infrastructure to install emerging technologies and finest practices.

Security Risk Assessment (SRA)

SRA is an important exercise for the company as it helps strengthen security in those areas that can be weak, decrease security attacks and keep the hackers away, due to the checks in contrast to the establishment's security. To ensure the quotation goes to the importance of regular risk assessment on the website of ISACA, "Security risk evaluation should be a nonstop action". A complete assessment of enterprise’s risk is to be done in any event, at least once at regular intervals to identify the risks related to the data and frameworks of the organization. (Schmittling & Munns, 2010)

Impact of the Risk

Risk valuation and study is a technique of recognizing risks and weaknesses and ranking the importance of integrity, availability or privacy loss at a low, medium or high level. (Misra, Kumar, & Kumar, 2007)According to (NIST) also known as National Institute of Standards and Technology (2004), the table given below contains the essence of the potential impact on privacy, integrity, and availability of each security object:

Network Office Topology

GFI includes corporate WAN network, which includes 10 telecommunications sites that used to communicate with the central data processing framework with the help of a corporate VPN. Access controls based on roles that are implemented, and usage is strictly based on the user's roles within an organization. Let’s understand it by an example of a manager working in an engineering department and he wants to access both engineering database as well as training dept. That time every role will define the permission that is required to access the database. Separation of duties has been designated with this method.

Access Points

Every access point should be properly protected against the risk of security. Internal access should be properly protected because it will be on the intranet of GFI and there should be appropriate security control to defend against internal threats. To avoid any disturbance from an external threat, external access should be able to safely connect. Every point of passage into the framework represents to its own safety risks, which must be steadily assessed

Network Security

For a high-security layer, VPN (Virtual Private Network) is implemented in the network. According to an article on Microsoft TechNet, a client in VPN network will use special protocols that are based on TCP/IP which are also known as tunneling protocols. (Microsoft, 2016). Point to Point datalink will allow certain high-level security for users to secure data sessions established with the accurate role-based access to their user profile Virtual Private Network client to enter the GFI network. In a case that VPN is not getting updated when they have a moderate risk for availability due to the ability to deny service outbreaks. 

Internal Access

Every employee of GFI uses the internal network using the workstation, which is installed with anti-virus programs and configured with all the updates before being used by the individual. VLAN capable switches of 10 GB is implemented in the internal network which is separate for every dept.
Every system is configured with the server and applications for that individual user, which allow the right level of classification, based on their access policies. It guarantees that the possibility of ??role-based access control, which is currently working for every employee to isolate the benefits and access level. It assures that the idea of ??role-based access control, which is actively working for each employee to isolate the appropriate access level and privileges. Perhaps there will also be auditing and reporting systems to monitor employee's activities to protect the company from insider hazards. The implementation of many security policies will also help in the protection of property.
ACL which is also known as Access Control List will be the first security policy. And this will manage who will have control of VLANs and classified contents. They will be also acting as separate ways in which you control the networks, such as email, print and application servers. Failure to apply ACL can create a high risk for privacy and integrity.
Within the internal network of GFI, group policy will be used for network security. Group Policy is an infrastructure that permits an admin of a system or network who is responsible for Microsoft's Active Directory to actualize arrangements for clients and PCs. Group Policy can be utilized to characterize client, security and systems administration policies at the level of the machine.  (Microsoft, n.d.)

External Access

For granting an external access, authentication plays a major role because it will be required while denying a request to outside users who can be employed or not. RAS servers will help in accessing external access and used to connected with the help of VPN gateways, distribution router, and 100 MBPS router. Although the remote access to the internal database of the company is not encrypted, it is necessary to authenticate the mobile user who joins the dial-up. It has become a high risk for privacy, integrity, and availability. 

Access Controls

There are some drawbacks in the symmetric system that leaves them in loss due to the asymmetric system. Secure Key Delivery, Scalability and other security services are included in these drawbacks. The first drawback is security services, as the symmetric key doesn't provide non-rejecting or authentication, but only privacy. 
Scalability is another drawback, because the number of people who need to communicate needs similar keys, and keys must be managed, and all keys should be managed.
The third fault is the delivery of Secure key because the destination must be given with a key through a secure courier. The asymmetric system uses another ideal solution, which allows for a key that encodes and which can decode. Public Key is used by these systems that is obtainable by someone and a private key that allows for more variation from the symmetric system.
Both Public and Private keys together make asymmetric keys. Anyone can know about the public key, but only the assigned user should be using the private key. Scheme of trusting is used by PGP where 2 user keys are generated for use, a public key that is stored centrally, which is open to all and the private key which is held in trust by the user. At the point when the message is received, the beneficiary decrypts or decodes the message with his private key and approves its authenticity with the public key of the sender. (Microsoft, 2007)
As indicated by Tech-Republic, organizations have numerous authentication techniques to guarantee the security of their system and topology infrastructures. (Shinder, 2001) The choices accessible for organizations incorporate however are not constrained to the following:
Smart card
Password Authentication Protocol or PAP
IPSec Authentication 
Biometrics
Single Sign-On (SSO)
Microsoft CHAP
The Extensible Authentication Protocol (EAP)
Kerberos
SSL

Privileged Access

To secure valuable assets for the most sensitive data in the GFI network, a safe system should be used. A system must be used using compulsory access control or MAC. A unique approach is used by MAC for protecting extremely sensitive data that is protected under the secured environment of reading/write based on user, which is very safe in contrast to optional access control or DAC system. MAC is usually applied to organizations, which are based on highly sensitive and classified data and access security labels. MAC has following features, as suggested by CGI Security (2012): 
Changes in the security label of resource can be only made by admin, not even data owners can make changes. 
Security level is assigned to the data which used to reflect its relative sensitivity, privacy and security values.
Apart from the granted classification, the user can read from a lower classification. Unclassified data can be accessed by a "secret" user.
Users are granted to write to higher classification whereas top secret resource can be accessed by “secret” user. 
Users are granted permission for reading/write access but only to same classified objects (Only a secret user can read/write secret documents). 
Access is restricted or granted based on the time of an access based on labeling and processing of user credentials (based on policy).

Mobility

The capability to work on the move is very essential and the capacity to take the important duties and guarantee suitable collaboration with the client and to remain in the present is the part of mobility. (Basole, 2008)Concentrating on mobility can build proficiency and efficiency in the organization with the goal that representatives can get virtual workplaces at wherever, which is a connection accessible from the Internet. This considers clients who have a GFI representative and who takes a shot at the site and give better administration to them. There is another approach to bring BYOD or your own gadget which must be kept when appropriately executed with the correct protection measures to restrict the risk.    

Wireless

There is no argument or discussion on the fact that wireless is the reason behind the flexibility of GFI. In any case, the GFI wireless system at present does not take a shot at any encryption and SSID is visible to everybody inside the wireless range. It shows a high risk to the CIA. I strongly prescribe portraying WPA2-Enterprise with AES or TKIP encryption. SSID will be hidden. (Plósz, et al., 2014)

Cloud Computing

GFI will be able to sell its services and products over the internet with the help of cloud computing specially made for e-commerce. But there are some major issues regarding security with the data processing remotely. To reduce the risk with data processing security, the measure will be implemented. There is cloud computing software from Microsoft named as Microsoft Azure.  We will use Azure in GFI cloud computing environment. 
Following are the benefits: 
1.Ability to scale on demand
2.Cost Competitive
3.Hybrid Capability
4.Flexibility
5.Customer support
6.Big Data insights
7.Keeping your Data Secure
Already implemented with strong security features, we will use McAfee Endpoint Security with Microsoft Azure. MESMA easily integrates with Microsoft Azure using the Azure Power Shell platform and provides advanced security for all its finishing points. (McAfee, 2018)

Risk Mitigation

As mentioned above, the existing network topology and IT processes of GFI present many important weaknesses, which should be reduced with both hard and soft security controls. In the present environment of  Information Technology, it is important that we report the following weaknesses to keep assets, data and business intelligence of GFI adequately safe with the model of CIA. 

Wi-Fi Access

The Wi-Fi system at present uses an open validation approach, it enables anybody, anyone with access to privileged, sensitive and classified information in the proximity to GFI WAP with any Wi-Fi empowered gadget. GFIs get data about potential threats to incorporate, however, are not constrained to information blocking, Denial of administration or services, wireless interruption, remote phishing and endpoint assaults. Qualitative and quantitative damage from these attacks can be both privacy, integrity, and accessibility. In the direction of reducing these risks, the following recommendations should be followed:
Hidden SSID or network cloaking in the framework of GFI. In this wireless network name or SSID is hidden or invisible, although it is just a supplementary method and will be applicable only for inexperienced users. 
The highest level of WIFI encryption will be used which is WPA2-PSK (AES). 
Two separate WIFI will be there one for an employee with SSID name: GFI_Employees and other for guest with SSID name: GFI_Guest. 
Encryption
We will use IPSec for encrypting data transmitted within the GFI network. This technique uses packet filtering and the technique of cryptography. (Dhall, Dhall, Batra, & Rani, 2012)
Photo by Wikimedia

Mobility

For the security of GFI from harmful mobile devices, we will implement the following methods: 
Mobile Device Management for tracking all the devices in the network.
McAfee End Point protection for preventing the leakage of data. 
MAC will be used to separate the resources of GFI from other resources. 
Use of PAP and Smart Cards

Assumptions

Apart from the recommendations on security, I have by now put in the article that the following policies of security are implemented to allow for further protection.
A security policy will be prepared for the entire company and all employees should sign it and they will not be allowed to share the use of their personal logs.
The immediate effective requirement of quick response to any problems of security by any worker or employee of GFI. 
PC security group will manage the security arrangements. 
All progressions must be endorsed by the director, approved by CSM, executed by chairman and later verified, tried and maintained and kept up by the CSM.

Conclusion 

SRA and risk management should be done annually to provide a satisfactory measure of safety. SRA is important for GFI to protects its confidential data and sensitive information. Three of the major objectives of safety: privacy, integrity, and accessibility should be guaranteed to the employees and customers of GFI. Action should be taken to reduce the threats and vulnerabilities identified by the network.

Place Order For A Top Grade Assignment Now

We have some amazing discount offers running for the students

Place Your Order

Bibliography

Amazon. (2016). What is Cloud Computing? Retrieved from Amazon Web Services: http://aws.amazon.com/what-is-cloud-computing/?sc_channel=PS&sc_campaign=acquisition_US&sc_publisher=google&sc_medium=cloud_computing_hv_b&sc_content=sitelink&sc_detail=amazon%20web%20services&sc_category=cloud_computing&sc_segment=what_is_cloud_computing
Basole, R. C. (2008). Enterprise mobility: Researching a new paradigm. Retrieved 2 15, 2018, from https://robertoigarza.files.wordpress.com/2008/11/art-enterprise-mobility-researching-a-new-paradigm-basole-2008.pdf
Dhall, H., Dhall, D., Batra, S., & Rani, P. (2012). Implementation of IPSec Protocol. Retrieved 2 15, 2018, from http://ieeexplore.ieee.org/document/6168355
Image. (n.d.). Retrieved 2 15, 2018, from Wikipedia: The Free Encyclopedia: http://upload.wikimedia.org/wikipedia/commons/thumb/0/01/Internetprotocolsecurity-fr.svg/500px-Internetprotocolsecurity-fr.svg.png
Kratky, R., & Ancincova, B. (2016). Redhat. Retrieved from Red Hat Enterprise Linux 6 Security-Enhanced Linux: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/chap-Security-Enhanced_Linux-Introduction.html
McAfee. (2018). McAfee Endpoint Security for Microsoft Azure Environments. Retrieved from McAfee: https://www.mcafee.com/uk/products/endpoint-protection/endpoint-security-microsoft-azure.aspx
Microsoft. (2007, 10 26). Description of Symmetric and Asymmetric Encryption. Retrieved from Microsoft Support: https://support.microsoft.com/en-us/kb/246071
Microsoft. (2016). IPsec. Retrieved from Microsoft TechNet: https://technet.microsoft.com/en-us/library/bb531150.aspx
Microsoft. (2016). What is VPN? Retrieved from Microsoft TechNet: https://technet.microsoft.com/en-us/library/cc731954(v=ws.10).aspx
Microsoft. (n.d.). How Core Group Policy Works - technet.microsoft.com. Retrieved 2 14, 2018, from Microsoft: https://technet.microsoft.com/en-us/library/cc784268(v=ws.10).aspx
Miller, R. (2016, July 2). How AWS came to be. Retrieved from Tech Crunch: https://techcrunch.com/2016/07/02/andy-jassys-brief-history-of-the-genesis-of-aws/
Misra, S. C., Kumar, V., & Kumar, U. (2007). A strategic modeling technique for information security risk assessment. Information Management & Computer Security, 15(1), 64-77. Retrieved 2 14, 2018, from http://emeraldinsight.com/doi/abs/10.1108/09685220710738787
NIST SP 800-30, Risk Management Guide for ... (n.d.). Retrieved 2 14, 2018, from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Plósz, S., Farshad, A., Tauber, M., Lesjak, C., Ruprechter, T., & Pereira, N. (2014). SECURITY VULNERABILITIES AND RISKS IN INDUSTRIAL USAGE OF WIRELESS COMMUNICATION. Emerging Technology and Factory Automation (ETFA), 1-8. Retrieved 2 15, 2018, from IEEE ETFA 2014 - 19th IEEE International Conference on Emerging Technology and Factory Automation: https://www.researchgate.net/publication/264436422_SECURITY_VULNERABILITIES_AND_RISKS_IN_INDUSTRIAL_USAGE_OF_WIRELESS_COMMUNICATION?ev=prf_pub
Schmittling, R., & Munns, A. (2010). Performing a security risk assessment. ISACA Journal, 18.
Schmittling, R., & Munns, A. (2010). Performing a Security Risk Assessment. Retrieved from ISACA: http://www.isaca.org/journal/archives/2010/volume-1/pages/performing-a-security-risk-assessment1.aspx
Shinder, D. (2001, 08 28). Understanding and selecting authentication methods ... Retrieved 2 15, 2018, from the Tech Republic: http://www.techrepublic.com/article/understanding-and-selecting-authentication-methods/ 
Stoneburner, G., Goguen, A., & Feringa, A. (2002, July). Risk Management Guide for Information Technology Systems. Retrieved from Department of Health & Human Services: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf
Trend Micro. (2015). Deep Security 9.6. Retrieved from Trend Micro: http://www.trendmicro.com/cloud-content/us/pdfs/business/datasheets/ds_deep-security.pdf

Get Quality Assignment Without Paying Upfront

Hire World's #1 Assignment Help Company

Place Your Order