IT Security Manager in a Multinational Company - Coursework

This coursework is designed to demonstrate the broad understanding and knowledge of the module, assessing, and evaluating the student’s strength and level of analysis; divided into four learning outcomes. The coursework should be submitted as one document in a report format in final submission.

You have just been appointed as IT Security Manager in a multinational company in Dublin. You are responsible for physical, IT and information/data security. The company conducts secure research for defence.

These are three departments within this company:

• Research and Development,

• Information Technology,

• Personnel,

R&D is the one department with good security (biometric and card-based access control systems and running its network with the company's network using third party VPN). Since it is connected to the company’s network, R&D servers recently got attacked with Distributed Denial of Service attack (DDoS) and even with Man in the middle attack. Recent audit has also been found that there was an incorrect configuration of firewall policies.

All offices are on the ground floor with servers (email, ftp, web servers etc) and document filling rooms and photocopiers in the basement which are easily accessible to all employees of their day to day duties. In each department, there are several workstations, network printers, USB based local printer/plotter/scanners, USB and network drives.

There is also a smoking area just outside the building, conveniently situated next to the staff car park which is open for visitors and contractors as well. The company’s Wi-Fi signals can be sensed by wireless devices in the smoking area.

Initially, you need to carry out investigation about the IT security risks, existing organisational security procedure and controls to mitigate the risks. You also need to consider IT security policies, data protection laws, risk assessment methods, and security audit necessary for improving the overall security.

As IT Manager, your first task as part of your new role is to provide an IT security awareness training to all employees. The training presentation shall include different types of IT security risks together with network security tools and risk assessment and treatment methods. In addition to presentation, you should also produce a detailed report containing technical review of the topics covered in the presentation.

• Your presentation should include different IT security risks and IT security Solutions.

• Presentation will be 10 minutes to educate your colleagues and tutor. The presentation can include any citation if necessary, with the College referencing format (Harvard system) and any presentation note. The presentation slides with speaker note need to be attached to the main document when you submit your assignment.

• Your written report should include a summary of your presentation including detailed organisational security procedure, critical review of the security solution including security tool, monitoring system, risk assessment, treatment method and their contribution towards a trusted network.

Presentation should cover the following points.

• Identify types of security risks to organisation given in the scenario.

• Describe security procedures that should be implemented in the organisation in the given scenario and present with a method to assess and treat IT security risks.

• Present potential impact to IT security of incorrect configuration of firewall policies and third-party VPNs.

• Present with the discussion by evaluating different network security tools such as DMZ, static IP and NAT including the benefits to implement network-monitoring systems with example.

You should follow the assignment brief scenario and produce the followings:

Produce a report that contains the followings:

• Discussion of Risk assessment procedure including Data protection regulation and risk management standard ISO 31000 applicability to the IT security.

• IT security audit impact on organisational security.

• Develop an IT security policy based on the scenario context and main components of disaster recovery plan with justification the reason for inclusions.

• The responsibilities of employees and stakeholders in relation to implementation of security audit recommendations

You are required to consider and evaluate the alignment of IT security with organisational policy and suitability of using tools used in organisational policy.