Cybersecurity Management

CYB60004 – Assignment 2
Security Plan
November 9, 2020
Cybersecurity Management
1 | P a g e
Alvin Cabautan
2 | P a g e
EXECUTIVE SUMMARY
This assignment focuses on my understanding of Network Security. I recommend to our company to
implement a holistc approach to understand its architecture and the inventory in places. This assignment is
segmented into seven(7) sectons.
The frst secton is the Network Design Proposal. The second secton, is the Risk Assessment. The
third secton is the Physical security. The fourth secton is the IT Security Control. Fifh secton is the
Infrastructure security. The last and sixth secton is the Human resources security.
3 | P a g e
Table of Contents
Introducton………………………………………………………………………………………………………………………….4
Network Design Proposal……………………………………………………………………………………………………….5
Network Topology Diagram…………………………………………………………………………………………………5
Head Ofce – Douala – Network Plan……………………………………………………………………………………6
Yaounde – Network Plan……………………………………………………………………………………………………..7
Kumbo – Network Plan……………………………………………………………………………………………………….8
Bertoua – Network Plan………………………………………………………………………………………………………8
Risk assessment…………………………………………………………………………………………………………………..10
Identfy Assets…………………………………………………………………………………………………………………10
Informaton Assets……………………………………………………………………………………………………………10
Physical Assets…………………………………………………………………………………………………………………10
Identfy Risks……………………………………………………………………………………………………………………10
Risk Identfcaton and Likelihood Impact Analysis…………………………………………………………………10
Physical security………………………………………………………………………………………………………………….14
Mitgaton Methods and Devices………………………………………………………………………………………..14
IT Security Controls………………………………………………………………………………………………………………14
Sofware to Aid Risk Mitgaton………………………………………………………………………………………….15
Infrastructure Security………………………………………………………………………………………………………….15
Human resources security…………………………………………………………………………………………………….16
Issues……………………………………………………………………………………………………………………………..16
Mitgaton……………………………………………………………………………………………………………………….16
Security Policies……………………………………………………………………………………………………………….17
Conclusion………………………………………………………………………………………………………………………….17
References………………………………………………………………………………………………………………………….18
4 | P a g e
INTRODUCTION
Our company rely on the confdentality, integrity and availability of informaton. Our informaton
cannot be produced without the resources we have involved in gathering data. This includes assets such as
manpower, structures or buildings, hardware, sofware, and processes. Ofen before, we have overlooked, the
need to plan in order to protect our assets. In a snap, assets can be destroyed, and sometmes can be a source
of threat resultng to a great deal of loss to a company. Thus, we need to plan in order to protect our
company’s assets and resources.
A top down approach will be undertaken to lay down the security plan in order to protect our asset
and resources. I have taken analysis of the requirements that provide an overall picture of our business goals,
gain a complete understanding of the structure, size, site locaton and functon. Informaton in Risk Assessment
combined with Network planning identfy threats and vulnerabilites and the design criteria for the success.
As a result, I present Network Security plan, IT Security controls and the Human security controls for
our company. It is mandatory to employ personnel security for safeguarding the organizatonal and customer
digital assets like informaton and IT infrastructure (“Network Security Planning”, 2018).
Thus, there is a need to full security. All the servers which store the key data of our company must be
placed in a secured room with proper physical security measures like locks and security personnel and must be
fenced.
5 | P a g e
NETWORK DESIGN PROPOSAL
The type of network that we will be using is Multprotocol Label Switching (MPLS) Border Gateway
Protocol (BGP) IP VPN. Each site has an ISP. The data is then routed to the VPN router which connects to a
client edge (CE) device. This device connects to a provider edge (PE) device. These provider edge (PE) devices
are all inside the outer layer of the MPLS network. They connect to the MPLS core on the inner layer of the
MPLS network. The MPLS core bonds the site networks together.
This is to also allow us to have auto failover if one ISP should have downtme, we might lose some
bandwidth but all sites would stll be able to access the internet.
Below are the network diagrams of the topology and the four(4) sites network plan.
Network Topology Diagram
6 | P a g e
Head Ofce – Douala – Network Plan
7 | P a g e
Yaounde – Network Plan
8 | P a g e
Kumbo – Network Plan
Firewalls should be the frst thing which needs to be implemented, as it will block the unwanted trafc
entering into the network and only allow those rules that are specifed in the allow rules.
For resiliency, we need to make the infrastructure fault tolerant such that if one server fails, another
server will help in serving the purpose. This is how resiliency is achieved.
9 | P a g e
Bertoua – Network Plan
10 | P a g e
RISK ASSESSMENT
Identfy Assets
Ground Clearance Ltd assets are divided into physical assets and informaton assets. In the physical
assets, we have writen all hardware used to run the network and security devices that we use. The
informaton assets include fles, forms, webpages, customer data, and any type of computer-based
informaton.
Informaton Assets
Physical Assets
Douala, head ofce
455 Desktops/laptops , 45 printers, 27 photocopiers, 2 routers, 2 frewalls, 8 switches, 4 servers
Yaounde site
92 Desktops/laptops , 10 printers, 6 photocopiers, 2 routers, 2 frewalls, 8 switches, 4 servers
Kumbo site
154 Desktops/laptops , 15 printers, 10 photocopiers 2 routers, 2 frewalls, 8 switches, 4 servers
Bertoua site
135 Desktops/laptops , 14 printers, 9 photocopiers 2 routers, 2 frewalls, 8 switches, 4 servers
Identfy Risks
Server cooling failure, Flooding/Water Damage, Electromagnetc Interference, Fire (Major or Minor),
Sabotage, Blackmail, Unauthorised access to system, Network Intrusion, Fraud/Embezzlement, Communicaton
Failure, Hardware Failure, Unauthorised Access or Use, Computer Crime, Human Error, Power Loss.
Risk Identfcaton and Likelihood Impact Analysis
Below are two(2) tables which contain the current risks and threat from each risk. It shows the most
likely event to cause such as risk and the compromised areas of our Company’s network. We score the
likelihood of each risk and the impact of each risk.
These two scores are then multplied to generate a total overall risk score to show the threat level of
each risk. We can view and decide which risks are going to be our priority, and which threats can hinder our
critcal business systems. We can evaluate and decide what to do about the risks and effectvely mitgate, if not
remove them completely.
11 | P a g e

AssignmentTutorOnline

12 | P a g e

Numbers 1, 9, 15 and 16 are the highest risks as the above table explains the damage and possibility
of happening.
Number 1 could happen by accident and this would cause incredible amounts of damage to the
network infrastructure. This must be addressed as soon as possible to reduce the overall risk and to protect the
system from irreversible damage.
Number 9 could simply happen if the right policies are not set to ensure that they are properly set.
This would allow Unauthorised users or others to openly view the fles or passwords to the network. Most of
these threats and risks could be easily mitgated by implementng the proper rules and policies inside the
system. With the right set of permissions set on the user accounts, it would lock down the system and
eliminate a considerable amount of the risks totally.
Number 15, our head ofce, it is now prone to flooding due to the redirecton a river to create park.
This must be addressed ASAP. We have to talk to the city council of the situaton the repercussion of what
happened. As this may cause the delay of the employees to enter in the head ofce and may cause a
disrupton of the operaton of the company.
Number 16, Bertoua site, there was a break-in and a number of PCs were stolen. This can be
mitgated if there are security guards in this site. I propose below the distributon of number of security guards
for the four(4) sites.
13 | P a g e
Douala, head ofce:

Thus, we maintain the number of security guards for our company.
14 | P a g e
PHYSICAL SECURITY
Mitgaton Methods and Devices
 We need to have a gas fre suppression system to combat the threat of fre. We need also to add an
early warning system to help detect low levels of smoke and sensors all over the room.
 There will also be water sensors on the floor to help detect if the sprinkler systems are going off to
protect the servers.
 There will also be a fre suppression control panel, auditory alarms, and smoke detecton equipment
installed in the IT server rooms as well.
 All our sites must have the fre exit doors with panic bars and exit lights which is required by Australian
law, code and regulaton.
 We require all employees to atend Employee Security Awareness and Training.
 We never rely on user security training alone to keep the intruders out.
 Under no circumstances should we allow the use of mobile storage on our critcal systems. This
includes shutng down the use of CD/DVD drives, any use of third-party security apps.
 Shutng down mobile storage (USB) prevents users from plugging in infected devices helps control
insider threats.
 We will implement to our four(4) sites the Key Card Systems. A card encoded with an access code
read to unlock a door. This is a high-end system that allow control of when people are authorised to
enter, log entrances and exit.
IT SECURITY CONTROLS
We will be adding Intrusion detecton system (IDS), intrusion preventon system (IPS), all new frewalls
will be put into place to protect the network.
There is also a new Oracle Mobile Device Management (MDM) system server setup that will take
place to help manage our data and assets. We can govern the changes to our digital data and how it is
protected in a more detailed way. This will also help to control the changes that are made to the data as well so
this covers multple threats as well.
Then, we will have a Gemini MPS Twin Pack with 500 kW generator built to mitgate the risk of
power loss to the Head ofce. To further mitgate the risk of power loss, we will be installing several APC Smart
UPS systems throughout the sites, and the sites with auto failover to protect the system untl the generator
kicks on. In the head ofce and the sites, the UPS will be used to allow the employees to save the data they are
working on to prevent data corrupton and data loss. Then they will shut down the workstatons untl power
has been restored. Below is a list of devices that will be added to the network to mitgate the risks above and
each will have the risk number or numbers that they are meant to mitgate next to it.
15 | P a g e
Sofware to Aid Risk Mitgaton
We will be using different sofware to help provide additonal control over the network. We will
enforce policies and certain guidelines that we need to mitgate the risks above. To do this, we will be using
network sofware and CISCO services to help monitor the network for threats and to help prevent malicious
atacks. We will also be using Oracle Mobile Device Management (MDM) applicatons to manage our data and
the changes that happen to it, for regulatory reason and security reasons.
Cisco Stealth Watch, Cisco prime network, and Identty Services Engine are going to be used together
to fght the risks listed below by adding a reliable method to govern confguraton management, change
management, and policy enforcement for all devices that are on the network to grant granular access to how
we need the network and its devices to run. Cisco adaptve security device manager is going to make sure that
all our security devices are up to date and all the cisco frmware and security patches are automatcally
updated. They are checked to make sure that the confguratons of each device are stll the same as the
hardened baselines that we set them up with. The new security sofware being installed is listed below in a
table just like the device table above.
INFRASTRUCTURE SECURITY
Some other security controls that are going to be implemented to add extra functonality to the
system are going to be:
Mult Factor Authentcaton (MFA)
The mult factor authentcaton is used to ensure that the users logging in to any company designated
site or applicaton are the proper users. This is a setup to run so that the captve web portal login happens frst
using a local database to verify your login credentals, then the machine is verifed by certfcates installed using
generic Lightweight Directory Access Protocol (LDAP) in actve directory to verify those credentals. Finally, it
verifes your smart card and pin using RSA SecurID database for fnal authentcaton method.
Designated honey pots
We setup two designated honeypots which will be connected to the De-Militarise Zone (DMZ) and
public facing webservers. It will be setup to look like an administrator workstaton. It will be used to collect
informaton of atacks, atempted atacks, IP addresses, and atacker informaton that can be used to help
protect our networks beter.
Upgraded client routers
The upgraded client edge routers will be Cisco ASR 900 series service aggregaton routers to help with
beter productvity, connecton speed, and they can be added to the adaptve cisco security device manager
applicaton to further protect the devices.
Proxy frewalls
There is a proxy frewalls installed to reroute some network zones and mask them to prevent our IP
address from being discovered and having the company’s privacy and security at risk.
16 | P a g e
HUMAN RESOURCES SECURITY
Our company must have a Human Resources domain focuses on people – almost 800 employees – all
of whom have a fundamental role in security and privacy. The managers must ensure that employees follow
proper policies and procedures.
Our managers should oversee relatonships with afliates and third-party service providers – ensuring
and privacy provisions are in place. When working with 3rd party vendors (such as CISCO Company), a clear
understanding of data security and privacy must be clearly document. Additonal training may need in some
cases.
Security and privacy safeguards during employment, or while fulflling contractual dutes:
 Reduce the risk of human error by ensuring that people are aware of security and privacy issues and
are trained and equipped to properly handle personal informaton in the course of their dutes
 Obtain employee assent to agreement on security and privacy roles and responsibilites
 Ensure that safeguards are applied – by defning management responsibilites in writen agreements
 Monitor performance and provide feedback. When necessary, sanctons are applied for security and
privacy breaches
When someone is leaving the company, there should be a structured process to ensure that any assets
that they hold are returned (i.e. laptops, access keys and others).
There is a succession planning and make sure that knowledge is shared or procedure realised.
It is critcal for our company to understand and pay close atenton to what employee data is collected, stored,
manipulated, used, and distributed – when, why, and by whom.
Issues
It is important to know the enemy. We have to understand our vulnerabilites. The common security
threats are the following:
– Human error
– Disgruntled employees or ex-employees
– Other internal atackers
– External Hackers
– Natural disasters
Mitgaton
The best to mitgate the vulnerabilites is to have the best practces for Human resources include
– Adopt a comprehensive informaton and security privacy policy
– Store sensitve data in secure with an encrypton
– Dispose of documents properly
– Document destructon in the ofce
– Contnue update technical measure (frewall, antvirus, ant-spyware, etc.) and non-technical security
educaton training and awareness measures
– Conduct privacy walkthroughs and making spot checks on proper informaton handling
17 | P a g e
Security Policies
It is important to have inventory potental network vulnerabilites and what mitgaton steps
could be completed to reduce the potental effects. We should have clearly defned policies that
include expectaton and consequence need to be presented to all users. Each policy must be detailed
for all to understand and be broken down into individual topics.
CONCLUSION
I recommend to our executve that we need to consider the cloud computng in the very near
future. Cloud computng adopton is on the rise every year. By using a cloud-based soluton, our
company can prevent a lot of problems that plague organisatons that rely on on-premises
infrastructure.
Having said that, our Network plan has a stable baseline with good security trends, security
policies, standards, procedures and guidelines for our employees in facing the risks and threats and
mitgatons that we should implement within our company to safeguard the informaton over the
company’s network.
A frewall security protocol and its services are important within our company and its sites
locaton. The security best practces are helpful while transferring the data over the network among
the sites of our company.
The security of our company is crucial and sensitve. It is important to protect the system
integrity that includes protecton from viruses, intrusion and detecton system, tape backups,
security verifcaton, security awareness and training team actvites.
18 | P a g e
REFERENCES
Academy, A 2017, 4. Human Resources Security and Third Partes, viewed November 8,
.
Awwad, P 2018, CCNA 4 WAN Concepts, viewed November 8, htps://www.youtube.com/watch?
v=Lr6yvfIPahU>.
Awwad, P 2019, CCNA Security Chapter 1 Modern Network Security Threats, viewed November 8,
htps://www.youtube.com/watch?v=0v89RB9cYNc>.
Awwad, P 2020a, CCNA 7 ITN- Introducton to Networks- Module 16 Network Security Fundamentals
part 1, viewed November 8, htps://www.youtube.com/watch?v=pP5R77BRiC8>.
Awwad, P 2020b, CCNA 7 ITN- Introducton to Networks- Module 16 Network Security Fundamentals
part 2, viewed November 8, htps://www.youtube.com/watch?v=QZ-DLZDC7AE>.
Beney, R 2020, Cisco – CCNA Certfcaton 200-301 – Network Topology Architectures .03, viewed
November 8, htps://www.youtube.com/watch?v=2pggxY2UWJs>.
Bozicevic, V 2018, Cloud Computng Benefts: 7 Key Advantages for Your Business, viewed November
8, htps://www.globaldots.com/blog/cloud-computng-benefts#:~:text=Cloud%20computng
%20benefts.%201%201.%20Efciency%20%2F%20cost,4.%20Mobility.%205%205.%20Disaster
%20recovery.%20More%20items>.
CISCO Cisco Security Management Portolio, viewed November 9,
htps://www.cisco.com/c/en/us/products/security/security-management/index.html>.
Computng, DB 2019, HOW TO SECURITY HARDEN A NETWORK | Top tps to secure Network
Infrastructure | PART 2, viewed November 8, htps://www.youtube.com/watch?v=_jGJ0xMNym8>.
CS, M 2020, Computer Networking Complete Course – Basic to Advanced, viewed November 8,
htps://www.youtube.com/watch?v=0PbTi_Prpgs&list=PUq8JbYayUHvKvjimPV0TCqQ&index=5>.
CSG, U 2018, Introducton to Infrastructure Security, viewed November 8,
htps://www.youtube.com/watch?v=e2-4y903uao>.
Europe, C 2012, ISO 27001 Human Resources Security (Part 11/18), viewed November 8,
htps://www.youtube.com/watch?v=N8ZGPD4eVZU>.
freeCodeCamp.org 2020, Computer Networking Course – Network Engineering [CompTIA Network+
Exam Prep], viewed November 8, htps://www.youtube.com/watch?
v=qiQR5rTSshw&list=WL&index=3>.
Funde, Ik 2020, Networking basics (2020) | What is a switch, router, gateway, subnet, gateway,
frewall & DMZ, viewed htps://www.youtube.com/watch?v=_IOZ8_cPgu8&t=12s>.
19 | P a g e
H, NW 2020a, Ethernet shared media and point to point explained | CCNA 200-301 |, viewed
November 8, htps://www.youtube.com/watch?
v=iqAxYW7RoOc&list=PLCDpf1W6pOhq3vi0DH0BudJZY7i2c4ePy&index=23>.
H, NW 2020b, Server | types of server | explained in simple terms. | Free CCNA 200-301|, viewed
November 8, htps://www.youtube.com/watch?
v=_hdtdJWJGtA&list=PLCDpf1W6pOhq3vi0DH0BudJZY7i2c4ePy&index=13>.
H, NW 2020c, What is a Network | Network components| Types of Network |Free CCNA 200-301|,
viewed November 8, htps://www.youtube.com/watch?v=9GciaJ7NazU>.
IU, P 2012, Human Resources – Domain 5 – Informaton Security & Privacy Program, viewed
November 8, htps://www.youtube.com/watch?v=J2jHjA94CQ0>.
Jensen, G Mobile Device Management (MDM) Within Your Enterprise – Simeio Solutons, viewed
November 9, htps://blogs.oracle.com/cloudsecurity/mobile-device-management-mdm-withinyour-enterprise-simeio-solutons>.
Kevin Wallace Training, L 2016, CCNA R&S version 3 Topic: Collapsed Core vs. Three-Tier Architectures,
viewed November 8, htps://www.youtube.com/watch?v=gKTxTOrjXs0>.
Lithan, E 2018, Interpretng a Network Diagram, viewed 2020, htps://www.youtube.com/watch?
v=16WSYHcLVGE>.
livogroup 2011a, Introducton to Informaton Security and Risk Management, viewed November 8,
htps://www.youtube.com/watch?v=n81w0zCkRR4>.
livogroup 2011b, Introducton to Physical Security, viewed November 8,
htps://www.youtube.com/watch?v=vdbySQaWdSQ&list=WL&index=1>.
Messer, P 2016, Physical Security Preventon Methods – CompTIA A+ 220-902 – 3.2, viewed November
8, htps://www.youtube.com/watch?v=uo41caqOBLk>.
Nuggets, C 2019, How to Read a Topology Diagram with Physical Devices, viewed November 8,
htps://www.youtube.com/watch?v=fH-fVm5__o>.
Olzak, T 2016a, Episode 6: Critcal Infrastructure Security, viewed November 8,
htps://www.youtube.com/watch?v=W_398tN3X_Q>.
Olzak, T 2016b, Episode 6: Critcal Infrastructure Security, vi
ewed htps://www.youtube.com/watch?v=W_398tN3X_Q>.
Sector, CP 2014, Identty Services Engine (ISE), viewed November 8,
htps://www.slideshare.net/CiscoPublicSector/ise-33087084?from_acton=save.>.
SecureState 2015, Beer:30 – Network Architecture Review, viewed November 8,
htps://www.youtube.com/watch?v=oopkClg1kxM>.
Skillset 2016, Physical Security (CISSP Free by Skillset.com), viewed November 8,
htps://www.youtube.com/watch?v=xm_gznvJIsY>.
20 | P a g e
SnapAV 2017, Webinar: Networking Design and Best Practces, viewed November 8,
.
Technology, U 2019, CISSP #81 – Domain 3 – Datacenter Physical Security, viewed November 8,
htps://www.youtube.com/watch?v=PR9_Ea4ako0>.
21 | P a g e