Menu

Task Back Top Read Regional Gardens Case Study Document Attempting Assignment Tasks Employ Q43889765

Task

back to top

Read theRegional gardens case study document before attempting thisassignment.

Tasks:

You have been employedby Regional Gardens as their first ever Chief Information Officer(CIO). You have been tasked by the Board to conduct a review of thecompany’s risks and start to deploy security policies to protecttheir data and resources.

  1. Write a policy to preserve the integrity of Regional Garden’sdata. In your policy you must:
    1. Define the intent and rationale of the policy,
    2. Define the scope of the policy i.e. who and what iteffects,
    3. Define the responsibilities of individuals affected by thepolicy, including those responsible for enforcing the policy, aswell as those who are affected by the policy,
    4. Include the mandatory requirements for the rules or actionsthat you think are reasonable to place into this policy to meet itsintent and rationale,
    5. Include any exemptions that you think are reasonable to placeinto this policy to meet its intent and rationale,
    6. Define any terms which are used throughout the policy in aGlossary.

Your Data Integrity policy should include the followingheadings:

  • Brief Overview
  • Policy Purpose and Rationale
  • Policy Scope
  • Roles and Responsibilities
  • Mandatory Requirements
  • Exemptions
  • Glossary

Rationale

back to top

This assessment task will assess the following learningoutcome/s:

  • be able to justify the goals and various key terms used in riskmanagement and assess IT risk in business terms.
  • be able to apply both quantitative and qualitative riskmanagement approaches and to compare and contrast the advantages ofeach approach.
  • be able to critically analyse the various approaches formitigating security risk, including when to use insurance totransfer IT risk.

case study

Regional Gardens Case Study

Regional Gardens Ltdis a company that runs a number of related gardening enterprises.It has a large display garden that it opens for public inspection anumber of times a year. The company also owns the Regional GardensNursery which sells plants and garden supplies to the public. Thecompany also owns Regional Garden Planners, which is a smallcompany that provides garden advice, design and consultancyservices.

The company has asmall data centre at its main site in Bathurst where the company’sservers and data storage is located.

The company has some65 staff, who include management, administrative staff, nursery andRegional Garden Planners staff. The company has a range ofdifferent types of relatively old personal computers, which runmainly run Windows 7 Enterprise, to connect to the company datacentre. The company also has 3 MacBook laptops running OS X.

The company does nothave a clear patching and update policy. As a result most serversand desktop machine are patched on an ad-hoc basis and as time, andoperations, permit.

The company has asmall number of systems administration staff that are responsiblefor the management of the server infrastructure. But effectiveadministration is somewhat hampered by the fact that theadministrative passwords are generally well-known across thecompany. Company employees enjoy free, open, unrestricted access tothe Internet, but realistically they only need to access certainwebsites on the Internet. Company management would like there tominimise the cost of accessing web resources.

The company consistsof the following departments:

  • Nursery staff (35 people)
  • Regional Gardens Planning (15people)
  • Systems administration (3people)
  • Management (4 people)
  • Human Resources & Legal (3people)
  • Finance (3 people)
  • Administration (2 people)

There are no formalonboarding and offboarding processes in the organisation. There isclose to no policy framework in the organisation.

Infrastructure

The company usesseveral servers to conduct its core business. The company has thefollowing server infrastructure:

  • 2 x Active Directory domaincontrollers on Windows Server 2008 R2;
  • 3 x SQL Server 2003 databaseservers on Windows Server 2003;
  • 1 x Exchange 2007 email serveron Windows Server 2008 R2;
  • 4 x Windows Server 2003 Fileand Print servers;
  • 2 x Red Hat Enterprise 5 Linuxservers running Apache and TomCat.

Each of these serversare independent machines with relatively vanilla installs of theirrespective operating systems. The servers are not running thelatest operating systems nor have they been recently patched. Allservers have publicly accessible addresses and hence can beaccessed from the Internet.

The servers are allcommodity x86 servers that have been purchased as required. Thereare no maintenance contracts on either the hardware or anyinstalled software. Most of the servers and desktops are over fiveyears old.

Services and Data

The servers store thefollowing;

  • Home directories,
  • Mail,
  • Database objects for variousdevelopment and production environments (for variousdepartments),
  • Active Directory Meta DataObject,
  • Customer garden projectinformation directories,
  • Nursery plant datadirectories,
  • Nursery supplies datadirectories
  • Corporate Finance andPersonnel Data,
  • Web Page Data.
  • Customer data,
  • Market intelligence andstrategic planning data.
  • Other forms of IntellectualProperty

Most services are onlyused within the company, however the company does have a internetpresence via its web pages and mail server. Despite this some ofthe garden planners work from home in the evenings and access someservices from their home workstations, tablets or mobile devices.You can assume there is no redundancy/ fail over in the disks henceif a disk goes bad, that data is lost and the service associatedwith it fails.

The most importantdata to the company, in order of importance, is:

Corporate finance data

  • Nursery product data
  • Nursery supplies data
  • Strategic planning data
  • Customer planning data,
  • Personnel data,
  • Web page data,
  • Email,

The integrity of thisdata must always be preserved.

Administration

Most of the staff inthe company knows the administration passwords for the servers anddesktops. It should be noted that all users have accounts on themail, database and database servers.

The administration ofthe servers tends to be haphazard. There are often storage issueswith storage as disks fill up regularly. There are a lot of activebut unused accounts for users who have now left the company. Thecompany is dependent on its servers for continued access toservices, but there are no monitoring systems in place.

External hackers havecompromised some desktop machines in the past. The administratorsare reasonably confident that the servers have not beencompromised. That said, when a host is compromised; theadministrators merely disable the hack and continue to allow themachine to be used. Most compromises are noticed too late, i.e.well after the hack has occurred.

Security

The company does nothave a firewall or any other security system in place. Currentlyall services offered by the servers are accessible via theInternet. All servers, and most desktops have a basic anti-virussystem in place, but it has not been updated recently. There is noanti-virus on the MacBooks as the company has been told that they“don’t get viruses”. There is no overall email virus protection inthis company.

Backup and Disaster Recovery

The company does nothave any backup or disaster recovery systems/ procedures.

Network and Physical Location

The servers and corenetwork infrastructure are located in common workspace as otherinfrastructure and employees of the organisation. In addition tothis the servers are on the same networks as user workstations andthere is no network security. The company is connected to theInternet via a ADSL modem connected to a router. The routerconnects to a several 10mb hubs, which provide access to the staff(there is only one LAN).

Individual Workstations & Passwords

Each employee has adesktop computer. Most of the computers are running a vanillainstall of Windows 7 Enterprise that, in most cases, has not beenpatched since install. Employees often keep corporate data on thesedesktops in their home directory, which is not backed up.

In addition to thiseveryone has administrator privileges to their workstation. As theenvironment is relaxed, a user can have accounts on other employeecomputers possibly using the same or different password.

The company has nohard and fast rules about passwords; in fact the most commonpassword used is the person’s name. These passwords are alsoindicative of what is used on the server machines.

Expert Answer

Answer to Task back to top Read the Regional gardens case study document before attempting this assignment. Tasks: You have been e…

OR


See what happens after you place this order.

Order a custom paper written from scratch according to your requirements

 

Place your order now