Security Management for a XYZ Multinational Company in West Midlands

You have just been appointed Security Manager in a XYZ multinational company in West Midlands. You are in charge of physical, IT and data security. The company, researching both medicines and vaccines for the World Health Organisation’s three diseases - HIV/AIDS, tuberculosis and malaria, are very proud to have developed some of the leading global medicines in these fields.

These are six departments within this company:

• Research and Development,
• Personnel,
• Marketing and Business Development,
• Strategic Operations and Management,
• Information Technology,
• Customer Services.

R&D is the one department with good security (biometric and card-based access control systems and running its own network which is isolated from the company's network). R&D is not shown in the company's network diagram below, since it is not connected to the rest of the intranet.

                                                                                                     Figure 1: Network plan and Company’s internet

All offices are on the ground floor with servers (email, ftp, web servers etc). In each department, there are a number of workstations, network printers, USB based local printer/plotter/scanners, USB and network drives.

Employees often go out of the premises for lunch although there is a staff tea/lunch area equipped with fully functional kitchen, microwave oven and a big fridge. Some staff members have lunch at the riverside local Pub called "The Host" which is only 40 meters away from the complex. Their most  Department of Information Technology popular dish, as voted by the majority of the employees is Dublin Bay Prawn with potato wedges. A number of employees spend their lunchtime break listening to their iPods or simply surfing the internet and (some in their personal Laptops or mobile and some in their workstations). Many employees claim that for them this is the most productive time.

The problem is that in the past there have been several incidents of industrial spying which led the Company to hire a Security Manager (yourself) to tighten security. These incidents took place across departments including R&D and went unnoticed and unpunished.

Your director asked you to evaluate the given proposed network showing any flaws and reasoning, as well as the impact of the flaws, in addition you are to design a new secured network including:

1a. Discuss and evaluate the given proposed network, in terms of Security, Availability, and Scalability etc. You will need to create a list with the highest priority threats to physical, IT infrastructure and data security within this organisation. Propose any special and or new components to improve security both at physical and logical security.

b. Thoroughly investigate and evaluate the network design and its associated IT security risks and research existing organizational security measures and controls to mitigate the risks.

2a. Design new network incorporating all necessary network components including all reasoning, analysis and evaluation in choosing the network components.

b. Base on your finding and your solutions provide a high-level security design for Company XYZ in a report format.

c. Propose a maintenance and troubleshooting documentation.

d. Reflect on the effectiveness of your design in meeting the requirements of company XYZ and the lessons learn in view of the outcomes and obstacles.

3a. Using your high-level design simulate and configure your selected technologies to meet the security design requirements.

b. To proof that your design is working according to the design requirement develop a test plan and test your solutions. Show the process of testing the network and include the test result in relation to; Access Control, traffic encryption etc.