Course Project (15%)
This course project is intended to assess your ability to comprehend and apply the basic concepts related to information security management, such as the following:

• The ability to discern when a risk assessment should be performed and carrying out the task
• Understanding user or customer access requirements, whether remote or local
• Using a layered security approach to establish and maintain access controls
• Working with other departments, such as the human resources department, to identify and implement methods to prevent unwarranted exposure to information by inappropriate personnel

Your ability to execute the tasks within these information security domains and others will be evaluated against the learning objectives as identified and described in previous lessons of instruction for this course.

• Required Source Information and Tools

You will require the following resources to complete this project:

• Text sheet: Integrated Distributors Incorporated (provided in Week 1)
• A computer with:

Access to the Internet

Microsoft Office Suite—Word, PowerPoint, and Visio or any other comparable editing, presentation, and drawing software

User identification, authentication, and authorization are essential in developing, implementing, and maintaining a framework for information system security.  The basic function of an information system security framework is to ensure the confidentiality and the integrity, as well as the availability of systems, applications, and data.  Certain information security implementation and management knowledge is required of network administrators, IT service personnel, management, and IT security practitioners, such as information security officers, security analysts, and domain administrators.

You are provided with the text sheet named “Integrated Distributors Incorporated” (Project.TS1.doc) to complete this project.  You play the dual role of an IT architect and IT security specialist working for Integrated Distributors Incorporated (IDI), a multi-national organization with offices in several countries.  Your instructor for this course plays the role of the chief information officer (CIO).  Your peers play the role of selected technology staff.  Each of the organization’s locations is operating with different information technologies and infrastructure—IT systems, applications, and databases.  Various levels of IT security and access management have been implemented and embedded within their respective locations.

Your goals as the IT architect and IT security specialist are to:

• Develop solutions to the issues that the specified location of IDI is facing.
• Develop plans to implement corporate-wide information access methods to ensure confidentiality, integrity, and availability.
• Assess risks and vulnerabilities with operating IT facilities in the disparate locations where IDI now functions and develop mitigation plans and implementation methods.
• Analyze the strengths and weaknesses in the current systems of IDI.
• Address remote user and Web site user’s secure access requirements.
• Develop a proposed budget for the project—consider hardware, software, upgrades/replacements, and consulting services.
• Prepare detailed network and configuration diagrams outlining the proposed change to be able to present it to the management.
• Develop and submit a comprehensive report addressing the learning objectives and your solutions to the issues within the scenario.
• Prepare a 10- to 15-slide PowerPoint presentation that addresses important access control, infrastructure, and management aspects from each location.

Jerry Cunningahm
ISSC364
Project- Ojective

Course Project (15%)
This course project is intended to assess your ability to comprehend and apply the basic
concepts related to information security management, such as the following:

The ability to discern when a risk assessment should be performed and carrying out the
task

Understanding user or customer access requirements, whether remote or local

Using a layered security approach to establish and maintain access controls

Working with other departments, such as the human resources department, to identify
and implement methods to prevent unwarranted exposure to information by inappropriate
personnel

Your ability to execute the tasks within these information security domains and others will be
evaluated against the learning objectives as identified and described in previous lessons of
instruction for this course.
Required Source Information and Tools
You will require the following resources to complete this project:

Text sheet: Integrated Distributors Incorporated (provided in Week 1)

A computer with:

Access to the Internet

Microsoft Office SuiteWord, PowerPoint, and Visio or any other comparable editing,
presentation, and drawing software

Introduction
User identification, authentication, and authorization are essential in developing, implementing,
and maintaining a framework for information system security. The basic function of an
information system security framework is to ensure the confidentiality and the integrity, as well as
the availability of systems, applications, and data. Certain information security implementation
and management knowledge is required of network administrators, IT service personnel,
management, and IT security practitioners, such as information security officers, security
analysts, and domain administrators.
Scenario

You are provided with the text sheet named Integrated Distributors Incorporated
(Project.TS1.doc) to complete this project. You play the dual role of an IT architect and IT
security specialist working for Integrated Distributors Incorporated (IDI), a multi-national
organization with offices in several countries. Your instructor for this course plays the role of the
chief information officer (CIO). Your peers play the role of selected technology staff. Each of the
organizations locations is operating with different information technologies and infrastructureIT
systems, applications, and databases. Various levels of IT security and access management
have been implemented and embedded within their respective locations.
Tasks
Your goals as the IT architect and IT security specialist are to:

Develop solutions to the issues that the specified location of IDI is facing.

Develop plans to implement corporate-wide information access methods to ensure
confidentiality, integrity, and availability.

Assess risks and vulnerabilities with operating IT facilities in the disparate locations
where IDI now functions and develop mitigation plans and implementation methods.

Analyze the strengths and weaknesses in the current systems of IDI.

Address remote user and Web site users secure access requirements.

Develop a proposed budget for the projectconsider hardware, software,
upgrades/replacements, and consulting services.

Prepare detailed network and configuration diagrams outlining the proposed change to
be able to present it to the management.

Develop and submit a comprehensive report addressing the learning objectives and your
solutions to the issues within the scenario.

Prepare a 10- to 15-slide PowerPoint presentation that addresses important access
control, infrastructure, and management aspects from each location.

Project Integrated Distributors Incorporated
Project Details:
Integrated Distributors Incorporated (IDI), a publically traded company, has its home office located in
Billings, Montana. IDI has more than 3,000 employees in the following locations:

Billings, Montana, 600 employees

Sao Paulo, Brazil, 580 employees

Warsaw, Poland, 975 employees

Sydney, Australia, 340 employees

Tanzania, Africa, 675 employees

Japan, China, and Hong Kong, 700 employees

IDI has accounts with major market retailers, federal governments, and large state governments. IDI
operates a fleet of trucks in each country and has network interface agreements with subcontractors
for freight forwarding, storage, and delivery.
IDI is responsible for the movement of goods, from multiple manufacturers and distributors to its
clients, in a timely and efficient manner using cost-effective methods. Alternatively, IDI may transfer
this responsibility to one of its JVs or SAs, if it is more cost-effective and the income differential is
within acceptable limits.
IDI is also under pressure for several of its competitors in the logistics industry. The competitive
market is driving IDI to improve its routes, delivery methods, fleet vehicles, and other facets of its
business to increase profits (a strategic goal) and to reduce costs. The company realizes that the
information technology infrastructure has been neglected for some time and that many operating
locations are running on outdated hardware and software. On several occasions last year, IDI
suffered no less than four network compromises through one of its JV Internet sites that led to the
disclosure of sensitive and strategic information on contracts and mergers.
The chief information officer (CIO) made a strategic presentation to the board of directors and
executive management to first assess the aging infrastructure and then, develop a multi-year phased
approach to have all sites (except for JV and SA) on the same hardware and software platforms. Now
that the funding has been approved for the infrastructure assessment, the CIO has asked you to
update your passport, and buy some new luggage.

Page 1
Copyright © 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All Rights Reserved.

Information about the assessment provided to you indicates that the current state core infrastructure
(switches, routers, firewalls, servers, and so on) must be capable of withstanding 10-15% growth
every year for the next seven years with a three-to-four-year phased technology refresh cycle.
There is a hodgepodge of servers, switches, routers, and internal hardware firewalls. Your review also
disclosed that much (almost all) of the infrastructure is woefully out-of-date in terms of patches and
upgrades. This operational neglect has unduly increased the risk to the network, in terms of
confidentiality, integrity, and availability. Since this will be a multi-year technology upgrade project,
something must be done to reduce IDIs exposure to vulnerabilities to increase the overall security
profile and reduce the risk profile.
Your inventory and review of the data center indicated the following requirements:

14Hewlett-Packard (HP) Unix servers

Four with operating system 9.X

Four with operating system 8.5 (one of them is used for application development)

Six with some version of 11.X (one is used for test and production migration staging)

75 MicrosoftWindows 2003 servers (equally split between production, test, and development)

Five application servers
Five Exchange e-mail servers

Core applications include the following:

Microsoft Exchange e-mail

Oracle financials for accounting and financial systems

Logisuite 4.2.2 installed approximately 10 years ago, has not been upgraded,
however over 350 modifications have been made to the core engine and the support
license agreement has expired. Renewing this product will be extremely expensive,
and the progressive upgrading to the current version is cost- and time-prohibitive.

RouteSim, a destination delivery program, is used to simulate routes, costs, and
profits. However, it is not integrated into Logisuite or Oracle financials to take
advantage of the databases for real-time currency valuation and profit or loss
projections.

IDI has not standardized on the office automation hardware and software. If a
manager likes HP, he buys HP whereas another manager may acquire Toshiba. Of
the 600 workstations at headquarters, 200 are HP, 150 are Toshiba, 175 are IBM, 50
are Dell, and the rest are Apple PowerBook, although no graphics or computer-aided
design (CAD) software is available to maximize the PowerBook.

Office software ranges from several word processing packages of various vintages,
suchas Lotus SmartSuite, early versions of Microsoft Office 5, WordPerfect 7.0, and
PC-Write. None of the packages is capable of integration with the other, and

Project Integrated Distributors Incorporated
transferring files often cause corruption when opened in a package other than the
original creation.

Telecommunication has not been updated since the company moved into its current
headquarters 15 years ago. This has left many of the new features for
telecommunication lacking and not integrated with the customer service database to
improve call management efficiency. The non-descript system was acquired for a
service provider that is now out of business and limited spare parts are available.

Even though polices exist that prohibit the introduction of personal devices,such as
BlackBerry or Blueberry, iPods, and iPhones, many of the executives have had local
administrators install the clients on their unsupported, non-standard personal laptop
computers, and workstations that interface with the Internet. The devices have little, if
any, protective measures to prevent exposure and loss of data or network
compromise.

The original wide area network (WAN) was designed by MCI in the early 2000s and
has not been upgraded.Several data rate increases have occurred in the Asian
offices, and Brazil has been distressed. During peak periods, usually between
September and March, the capacity is insufficient for the organization. Many times,
the Internet customers are lost due to dropped connections and abandoned shopping
baskets, further reducing growth and revenue.

Telecommunication works through a limited Mitel SX-2000 private automatic branch
exchange (PABX)that only provides voice mail and call forwarding.

Sao Paulo, Brazil
While earning frequent flyer miles and increasing your personal growth, your arrival in the Sao
Paulo office is followed by many pleasant surprises. You discover that the Brazil office is a model
of standardization. The Brazil office has the following setup:

30 Microsoft Windows for file and print

4 Linux (UNIX) servers for major production applications

2 Linux (UNIX) servers with the Internet zone with Juniper high-speed switches and
routers

A storage area network based on EMC CLARiiON

SAP R/3 (ECC6-Portal based apps)

Financials
Page 3

Copyright © 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All Rights Reserved.

Materials management

IBM Lenovo T 600 standard portable computers

Up-to-date information security policies, although in Spanish

The telephone system provided by SP Telesisone of the four competing providers
in the metropolitan city

The NEC NEAX 2400 series PABX used for internal and external communications

No problems were noted here, but it was good to get out of the office and see the world.
Although, two technicians are available for this network, vendors are unwilling to sign service
agreements or commit to defined standards for service response. Both technicians are qualified
with one being a Microsoft Certified Systems Engineer (MCSE) who has little experience in the
WAN environment.The Sao Paulo office is connected to the corporate office through an ondemand virtual private network (VPN) connection with a common six-character password that is
used by all office personnel and the shipping and receiving departments. While sitting in the
cafeteria one afternoon, you hear one of the technicians discussing increasing the privileges of
the shipping supervisors account. The shipping supervisor claimed that he would be more
efficient if he could see inbound receipts based on sales and had privileges equivalent to the
general manager. No anti-virus or malware is installed, as hackers have never attacked the
location.

Warsaw, Poland
Strategically staged to assist IDI for major growth in the Middle East and Asia, the office in Poland
is the home portal for expansion and geographical client development.
Although this is the largest office, based on employees, this office has minimally sufficient
computing power to stay afloat on day-to-day activities.The hardware and other networking
essentials of this office are as follows:

86 Microsoft Windows servers for file, print, and basic network connectivity

6 QantelUNIX servers for major production applications

S&S, the primary freight forwarding application is about 10 years old and does not
interface with the McCormack dodge accounting and finance system

6 Web servers (4 are primary and 2 fail during clustered load balancing)

IBM Infinity hardened server serving as a proxy for the network

Other infrastructure include 6 Cisco switches to break the department up in to
transaction zonesCatalyst 49XX series

Shipping and receiving

Internet, with self-service pages for small to medium customers

Project Integrated Distributors Incorporated

Intranet to keep staff trained on various aspects of changing custom laws
and regulations

Global Positioning System (GPS) performance monitoring to control the large
fleet of trucks with location transmitters

A separate access enclave is used for unmonitored access from strategic
alliance and JV partners.

A public wireless network is sponsored in the cafeteria running WPA(Wi-Fi Protected
Access)with no password

Telecommunication is a Siemens Saturn series Private Branch Exchange (PBX)
approximately 8 years old, and some of the features have become faulty. The
desktop phones have not been replaced or upgraded during this time.

Mareck, the son-in-law of the shipping director, has the technical responsibility for network
operations, information technology (IT) security, and end user computing. Mareck earned his
bachelors degree in horticulture and worked as a hothouse tender before marrying Loueasa, who
is responsible for IDIs accounts receivable department. Although the accounts always balance,
noticeable period end adjustments seem necessary since Mareck and Loueasa bought their new
multi-story home.

Page 5
Copyright © 2013 by Jones & Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All Rights Reserved.