Information security entails safeguarding the confidentiality, integrity, and accessibility of information. As requested by the company’s CEO, an all-inclusive assessment has been done to establish Pikes Pike Community College’s probable susceptibilities. The report offers a broad definition of the network’s enterprise infrastructure, the security models, and a suitable code of ethics, with an emphasis on the high institution of learning along with identifying the prospective security risks to privacy, accessibility, authenticity, integrity, and accountability. The potential threats consist of environmental, physical, and human aspects susceptibilities. The report will comprise suggested resolutions and the essential steps towards the improvement of information security processes and can be incorporated within the company’s strong security plan.
Company Description
Founded in 1968, Pikes Pike Community college is considered one of Colorado’s largest institutions of higher learning. Approximately 20000 students are enrolled at the learning institution annually, and a total of 1065 staff members are employed on a full-time basis at conveniently located campuses in Colorado Springs, Colorado. Significant growth in population during the past years in Colorado necessitated the desire to enhance education services. Therefore, in 1986, the college’s Downtown Studio precinct was launched to offer more exposure to the institution’s courses in arts and science along with presenting a facility focusing on arts. In 1998, the Rampart Range Campus was constructed in the northern area the town, and in 2008, Falcon Campus was constructed. In addition, the institution commenced the operation of education centers on Fort Carson, Peterson Air Force Base and the U.S. Air Force Academy. Pikes Pike Community College has become a renowned post-secondary learning institute in Southern Colorado and provides the most comprehensive and reasonably priced learning within the state.
Security Model
Security models are fundamental elements that should be considered during the development of security structures and guidelines. They establish commands that delineate the access regulations essential to implement the security policies. According to Thakur et al (2015), there are five information security models integrated towards the implementation of fundamental security conceptions. The models include LaPadula, Harrison-Ruzzo_Ulman, the Chinese Wall model, Clark-Wilson, and the state machine model. The appropriate models for implementing the security concepts comprise Clark-Wilson and the Harrison-Ruzzo Ullman security models based on the institution’s essential requirements. Both models offer the industry’s requirements, avert a user’s spiteful intents, and might be pertinent to various sectors and multilevel security at the operating system levels.
Clark-Wilson Model
According to Thakur et al (2015), the Clark-Wilson model is considered as the ideal model employed to safeguard the data’s integrity and guarantee appropriate transactions are conveyed through an authorized program, uses separation of responsibilities, and auditing. The model manages two types of entities; constrained data items and unconstrained data items. The security model similarly deals with two forms of a transaction; the integrity verification processes and transaction procedures. The IVPs’ purpose is to confirm that TPs resultant from CDIs is binding, and every transactional process should be sanctioned to result in a valid alteration. Only approved transactional procedures are authorized to manipulate a constrained data item.
Harrison–Ruzzo–Ullman
The Harrison-Ruzzo-Ullman model stipulates access rights and approval, authenticates conformity with any given policy averting non-authorized accessibility in contrast to the Bell-LaPadula model, which does not possess the processes. Despite the Access Control list exhibiting numerous disadvantages, Harrison Ruzzo Ullman Model may be executed through the access control list. Therefore, for enhanced security features, both models should be deployed collectively.
Bell-LaPadula Model
The Bell-LaPadula model is founded on a state machine model and was initially established to house the United States Department of Defense security levels. The model employs required access controls, guaranteeing easy accessibility of resources by individuals that need to execute their mandate. Even though it maintains privacy, there are various shortcomings as users are incapable of communicating with users on a separate level and fail to recognize the reliability or accessibility of objects. However, the security model is suitable as the subject might not downgrade data while objects and subjects may not alter the security levels upon implementation.
State Machine Model
The state machine model was initiated from a computer science description of the finite state machine. The model assimilates a peripheral and interior device to signify a structure is continuously in safe mode, notwithstanding the outcomes of the existing operative state. The safe state conception impacts most security models.
Infrastructure
A review of the institution’s infrastructure is intended to provide a comprehensive assessment of the IT environment and attempt to equal the outcomes against standards of the industry. The Infrastructure assessment aims at offering commendations on ways of improving develop IT infrastructure and the environment to back the institution’s objectives. In recent years, the institution merged three departments, the math lab, library, and the writer, in what is regarded as learning commons. The merging entailed various software development changes to let learners seek the services of a tutor who acknowledges the requests and is capable of locating the learner.
The institution’s network consists of approximately 75 nodes, along with the students’ devices and study areas with iPads to make advanced bookings. The ITSS division comprises three tiers at the main institution and also a technology desk within the learning commons. Every full-service precinct is regarded as a one-stop study facility for learners that necessitates numerous computer labs and own gadgets. The corporation’s infrastructure linked the initial 100-gigabit connections to the new information facility with isolated 40-gigabyte connections and the isolated information facility. The institution’s information technology department finalized the connection’s plan between information sites and has exchanged the routing alignment between the information centers. The cross-links between CCCS and their ReliCloud substructure has accomplished, and PPCC-IT personnel would commence the development of servers within the remote data center.
Vulnerabilities
Susceptibility is a fault within the system’s design, application, or organization that a target agent might use to initiate damage to the system. According to Humayun et al (2020), there are three categorizations of safety threats. Foremost, asset corruption may transpire if an unsanctioned alteration is enforced on the system. This is likely to result in corrupting the system. Second, an asset leak may occur when a person may access and convey information devoid of approval. Lastly, an asset loss may take place if information or elements are obliterated or stolen. A security threat assessment is vital to the general safety of every organization and aids in reducing the effects attributed to data breaches related to susceptibilities. Every organization needs to safeguard discrete, identifiable data along with additional business assets. Safety controls and suitable frameworks facilitate this through the enhancement of safety requirements. The ever-changing technological field presents numerous threats considered costly for corporations to pull through, and therefore, it is vital to be adequately prepared and safeguarded.
Every campus is configured to facilitate accessibility to approved software applications and website portals within the system grid. The IT department should perform weekly checks to establish the susceptibilities at the end hosts or networking gadgets. Upon identifying the susceptibilities, the scan outcomes are conveyed to the institution’s directors to be tackled and implement suitable mechanisms. Even though tolerable threats are regularly discovered, the threats are reassessed frequently for permanent resolves to guarantee every asset within the network is hardened and avert malevolent risks. Critical susceptibilities are acknowledged and programmed for the resolution process. Every threat is eradicated based on the priority level of risk. The institution’s ITSS performed an enterprise evaluation with the college IT administrators to guarantee that guidelines and authorizations are appropriately evaluated and implemented or obliterated to avert unsanctioned access to software and other resources. At this instance, there exist probable security susceptibilities that should be immediately rectified.
Robust security plan
Proper preparation is vital to the maintenance and restoration of services in the course of any unforeseen catastrophes and risks that institutions and campuses might experience. Identifying the threats and application of the appropriate security precautions should be seriously considered to guarantee the reliability and confidentiality of the institution’s systems and information. Vital resources must be established to determine stability, data retrieval strategies, and creating a communication plan. Policies should be verified before the occurrence of an incident. The Robust Security Plan sufficiently tackles every aspect from physical accessibility of IT structures, conveyance of data, and safety.
For any institution, a concentrated network guard is an essential activity that should be enforced. This develops guidelines based on the personnel that may gain access to the network and the situations under which they may or may not connect. The main aim of the policy entails defining the general network security that incorporates the institution’s infrastructure. The policy would define the numerous network infrastructure elements and roles in safeguarding the network environment.
Firewalls
Firewalls are set up to limit any inbound and outbound connection to the corporation’s main network. Every firewall and their related guidelines within the institution’s network must be detailed and abide by the institution’s standards. These records would be stockpiled on the IT SharePoint site, where accessibility to the data is limited to accredited employees.
VPN and Encryption Requirements
Every private information conveyed through the public system grid would be encoded using at least 256- bit encryption. Information communications within the network’s confines to integrate external structures linked to the institution through a virtual private network are thought to be protected and may not necessitate encoding. If data regarded as private, for instance, PHI, SSN’s, or additional information categorized as discrete by the information holder, passes through a distrusted public network, for instance, the internet, then the information would be encoded with minimal 128-bit encryption. Preferences for data encryption on transit include secure socket layers that utilize public key cryptography to encode website meetings between the web server and the user’s browser.
The web server should possess a certificate that produced a public key infrastructure. For documents, an adobe portable document and Microsoft office suite bear built-in encoding elements that back algorithms equal to 128bits (Jacobs, 2011). Other modes of data encryption at rest entails full disk encryption, whereby all the contents in the disk would be encoded. The other method involves operating system drive/file encoding. In this case, OS-enabled security facets offer a drive or file encoding. Suppose an encryption resolution is not accessible for Internet transport protocols, for instance, email or FTP. In that case, data that has been categorized as private should not be transferred through the protocols.
End-Users Responsibilities
It is important for users to be conscious of the information categorization standards and perform a data encryption process when appropriate. In the event that the information classification is unidentified, a user is obligated to check with the information owner. If the information owner is unidentifiable or inaccessible, information should be encrypted when disseminated through the internet. A user should not bypass the encryption resolutions. Posting of sensitive information to external websites is prohibited except if the website is considered to be secure.
Custom IPS Signatures
The customized IPS signature may be developed extensively, further enhancing the protection. For instance, a customized IPS signature to safeguard strange software applications. The customized application network traffic evaluation and pattern pairing. The mechanism is typically incorporated when the system experiences uncommon stream of traffic, and therefore, a custom IPS signature observes and comprehends traffic patterns.
Fortinet Intrusion Prevention System
Fortinet Intrusion Prevention System technology safeguards systems from both recognized and unidentified risks, averting assaults that may then take advantage of network susceptibilities and unpatched structures. Fortinet has an understanding of the service provider and is backing numerous software applications and operating systems. However, the diverse substructure is likely to obscure upkeep and repairing of all servers and network gadgets, resulting in interruptions and making systems susceptible to cyber-security assaults. The IP devices would be integrated to offer a suitable, central site that may be used to design and set out numerous IP apparatuses. There exist additional apparatuses that are integrated with Fortinet. They include Fortinet Intrusion Prevention Technology, Next-Generation Firewall, and Wireless Security platforms. They may be positioned at the network’s edge or in the system to offer critical interior business safety from exterior assaults.
Routers
The institution may necessitate the incorporation of routers to assist in segmenting the network. A router would be positioned on the internal system grid’s perimeter in every department within the campuses within the state. Network engineers will facilitate the management and internal monitoring of the routers. Router configuration should abide by the industry’s standards that offer the necessary security levels at the institutions.
The learning institution has an official email address. Using the institution’s email and internet assets would be continuously observed to ensure they incorporated within the confines of the law and institution’s regulations. Every activity in any gadget connected to the network would always be checked regardless of ownership and messaging on social websites. Moreover, limitations should be established regarding the dissemination of group private information and duplication of information.
Every campus has been equipped with surveillance cameras and boasts of a Campus Emergency Response Team. The team offers the CERT preparation in simple catastrophe retort abilities to the personnel as implored within the report. Crime Prevention Through Environmental Design preparation and improved risk evaluation at the campuses, carried out as required in collaboration with other interested stakeholders within the industry. Surviving Active Shooter Training preparation courses for extant active shooters would be offered at each campus. A handbook would be developed to establish issues, apprehensions, opportunities, commendations, and actions. The guidebook presents proposed ideologies and practices for risk-based hands-on measures and strong building system strategy to minimalize impacts of a calamity. The institution has established relations with the law enforcement agencies such as the local sheriff and police departments to offer extra support when required and integrates the Connect-Ed emergency bulk report system to dispense emergency signals for the workforce, learners, and departments.
Code of Conduct
Information Security is a fundamental aspect of all organizations, and everyone has to protect private and delicate information along with intellectual property. There are numerous apprehensions regarding the probable electronic information misuse that a code of ethics policy should be existent in each corporation. Every business’s important aspect is to maintain any practices utilized within the legal borders integrating only what has been acquired or approved. This Code of Ethics and Professional Conduct is developed under the frame of government, state, and local regulations (Tolk, 2017). In this case, the institution’s top management and board of directors have authorized the code of ethics to be integrated by a staff member at the campus.
Help Desk or Support
IT personnel would receive communications and preparations on the code of ethics. Foremost, the help desk or support are required to impose every appropriate security measure across each campus department. The help desk will only facilitate the forwarding of emails to another recipient upon request by the owner. The help desk should not request for user passwords. If numerous challenges are experienced, the IT departmental head will be tasked with providing guidance on the code of ethics. Due to the numerous changes in the technology field, the code of ethics may be reassessed after an occurrence.
Field Technicians
The computer technician must not ask other users for their secret code and preserve their code word with honesty. The technicians would not access mails during the process of troubleshooting any computer concern except if express authorization to partake in the process. When remotely access the desktops, it ought to be undertaken on the end user’s application and approval via a desktop prompt.
Network Engineers
Any information conveyed through a system should not be scrutinized except a maintenance procedure is conducted, for instance, system diagnosis. Accessibility to log data should only be utilized for business aims and as necessitated to back the systems’ integrity.
System Administrators & Database administrators
Information found in log files and databases ought not to be divulged further than the IT group’s requirements to cultivate, preserve, troubleshoot or conduct diagnostics if under the guidance of proper University or legal administration. The casual broadcasting of information found in records or databanks that may not be within the employee’s assigned mandate is strictly forbidden.
Security Engineers
The company’s information security specialists abide by a strict code of ethics through their accreditation by the International System Security Certification management, which necessitates that the specialists first safeguard society, the commonwealth, and the substructure. Second, providing dynamic and proficient services to the principals. Third, acting ethically, reliably, honestly, dutifully, and within the legal confines.
Reporting any malevolent action by malware and acting in an ethical method, particularly in subsequent situations. Foremost, conducting an investigation only within the capacity that has been recognized by the warning and for the acknowledged reasons. Second, tracking the spiteful activity to the point of origin and communicate with the owner and the IT support, disseminating the data, and helping in the resolution processes.
When performing a forensic study on an obtained computer, security engineers ought to limit their fact-finding undertakings narrowly, working on only pertinent data if a person declines to partake in the resolution process. The security engineers should maintain physical and digital inquiry resources, for instance, a duplicate of a hard drive firmly impenetrable (Johnson, 2015). The engineers should also reserve a chain of custody for proof, necessitating accountability and signing off at every step of the procedure.
Failing to adhere to the Code of Ethics may be considered as violating the trust accorded and will result in the management initiating disciplinary actions and, in most cases, being dismissed. In this case, the institution has a solid non-disclosure strategy, and workers might be reprimanded or dismissed for contravening the non-disclosure responsibilities. All staff members need to maintain information privacy and protection by integrating ethical guidelines and undertakings for brands, logos, and software accreditations. A Code of Ethics documentation may require the appending of a signature on an annual basis to admit that each member has acknowledged, read, and comprehended the contents of the code of ethics.
Conclusion
Information security primarily entails protecting the discretion, reliability, and ease of access to information. The safety of the learning institution’s database should be developed to balance user experiences. The evaluation was accomplished, and the probable susceptibilities were recognized to offer the protection of Pikes Peak Community College network infrastructure as implored. The institution’s information will be reliable and protected by implementing the suggested resolutions and the essential steps recommended in the robust security plan. Moreover, implementing a suitable code of ethics will offer privacy, reliability, and accessibility, vital for them to be fruitful. Breaching the non-disclosure responsibilities result in contract termination or dismissal.
