Files attached below
Regional Gardens Case Study Regional Gardens Case Study Regional Gardens Ltd is a company that runs a number of related gardening enterprises. It has a large display garden that it opens for public inspection a number of times a year. The company also owns the Regional Gardens Nursery which sells plants and garden supplies to the public. The company also owns Regional Garden Planners, which is a small company that provides garden advice, design and consultancy services. The company has a small data centre at its main site in Bathurst where the company’s servers and data storage is located. The company has some 65 staff, who include management, administrative staff, nursery and Regional Garden Planners staff. The company has a range of different types of relatively old personal computers, which run mainly run Windows 7 Enterprise, to connect to the company data centre. The company also has 3 MacBook laptops running OS X. The company does not have a clear patching and update policy. As a result most servers and desktop machine are patched on an ad-hoc basis and as time, and operations, permit. The company has a small number of systems administration staff that are responsible for the management of the server infrastructure. But effective administration is somewhat hampered by the fact that the administrative passwords are generally well-known across the company. Company employees enjoy free, open, unrestricted access to the Internet, but realistically they only need to access certain websites on the Internet. Company management would like there to minimise the cost of accessing web resources. The company consists of the following departments: · Nursery staff (35 people) · Regional Gardens Planning (15 people) · Systems administration (3 people) · Management (4 people) · Human Resources & Legal (3 people) · Finance (3 people) · Administration (2 people) There are no formal onboarding and offboarding processes in the organisation. There is close to no policy framework in the organisation. Infrastructure The company uses several servers to conduct its core business. The company has the following server infrastructure: · 2 x Active Directory domain controllers on Windows Server 2008 R2; · 3 x SQL Server 2003 database servers on Windows Server 2003; · 1 x Exchange 2007 email server on Windows Server 2008 R2; · 4 x Windows Server 2003 File and Print servers; · 2 x Red Hat Enterprise 5 Linux servers running Apache and TomCat. Each of these servers are independent machines with relatively vanilla installs of their respective operating systems. The servers are not running the latest operating systems nor have they been recently patched. All servers have publicly accessible addresses and hence can be accessed from the Internet. The servers are all commodity x86 servers that have been purchased as required. There are no maintenance contracts on either the hardware or any installed software. Most of the servers and desktops are over five years old. Services and Data The servers store the following; · Home directories, · Mail, · Database objects for various development and production environments (for various departments), · Active Directory Meta Data Object, · Customer garden project information directories, · Nursery plant data directories, · Nursery supplies data directories · Corporate Finance and Personnel Data, · Web Page Data. · Customer data, · Market intelligence and strategic planning data. · Other forms of Intellectual Property Most services are only used within the company, however the company does have a internet presence via its web pages and mail server. Despite this some of the garden planners work from home in the evenings and access some services from their home workstations, tablets or mobile devices. You can assume there is no redundancy/ fail over in the disks hence if a disk goes bad, that data is lost and the service associated with it fails. The most important data to the company, in order of importance, is: Corporate finance data . Nursery product data . Nursery supplies data . Strategic planning data . Customer planning data, . Personnel data, . Web page data, . Email, The integrity of this data must always be preserved. Administration Most of the staff in the company knows the administration passwords for the servers and desktops. It should be noted that all users have accounts on the mail, database and database servers. The administration of the servers tends to be haphazard. There are often storage issues with storage as disks fill up regularly. There are a lot of active but unused accounts for users who have now left the company. The company is dependent on its servers for continued access to services, but there are no monitoring systems in place. External hackers have compromised some desktop machines in the past. The administrators are reasonably confident that the servers have not been compromised. That said, when a host is compromised; the administrators merely disable the hack and continue to allow the machine to be used. Most compromises are noticed too late, i.e. well after the hack has occurred. Security The company does not have a firewall or any other security system in place. Currently all services offered by the servers are accessible via the Internet. All servers, and most desktops have a basic anti-virus system in place, but it has not been updated recently. There is no anti-virus on the MacBooks as the company has been told that they “don’t get viruses”. There is no overall email virus protection in this company. Backup and Disaster Recovery The company does not have any backup or disaster recovery systems/ procedures. Network and Physical Location The servers and core network infrastructure are located in common workspace as other infrastructure and employees of the organisation. In addition to this the servers are on the same networks as user workstations and there is no network security. The company is connected to the Internet via a ADSL modem connected to a router. The router connects to a several 10mb hubs, which provide access to the staff (there is only one LAN). Individual Workstations & Passwords Each employee has a desktop computer. Most of the computers are running a vanilla install of Windows 7 Enterprise that, in most cases, has not been patched since install. Employees often keep corporate data on these desktops in their home directory, which is not backed up. In addition to this everyone has administrator privileges to their workstation. As the environment is relaxed, a user can have accounts on other employee computers possibly using the same or different password. The company has no hard and fast rules about passwords; in fact the most common password used is the person’s name. These passwords are also indicative of what is used on the server machines. TASK back to top Read the Regional gardens case study document before attempting this assignment. Tasks: You have been employed by Regional Gardens as their first ever Chief Information Officer (CIO). You have been tasked by the Board to conduct a review of the company’s risks and start to deploy security policies to protect their data and resources. 1. Write a policy to preserve the integrity of Regional Garden’s data. In your policy you must: a. Define the intent and rationale of the policy, b. Define the scope of the policy i.e. who and what it effects, c. Define the responsibilities of individuals affected by the policy, including those responsible for enforcing the policy, as well as those who are affected by the policy, d. Include the mandatory requirements for the rules or actions that you think are reasonable to place into this policy to meet its intent and rationale, e. Include any exemptions that you think are reasonable to place into this policy to meet its intent and rationale, f. Define any terms which are used throughout the policy in a Glossary. Your Data Integrity policy should include the following headings: · Brief Overview · Policy Purpose and Rationale · Policy Scope · Roles and Responsibilities · Mandatory Requirements · Exemptions · Glossary RATIONALE back to top This assessment task will assess the following learning outcome/s: · be able to justify the goals and various key terms used in risk management and assess IT risk in business terms. · be able to apply both quantitative and qualitative risk management approaches and to compare and contrast the advantages of each approach. · be able to critically analyse the various approaches for mitigating security risk, including when to use insurance to transfer IT risk. MARKING CRITERIA AND STANDARDS back to top Task HD DI CR PS FL Marks Overview Comprehensive overview of purpose and scope of policy Broad overview of purpose and scope of policy Good overview of purpose and scope of policy Adequate overview of purpose and scope of policy Poor or inadequate overview of purpose and scope of policy 10 Purpose Excellent description of policy purpose and intent Very good description of policy purpose and intent Good description of policy purpose and intent Adequate description of policy purpose and intent Inadequate or incomplete description of policy purpose and intent 10 Scope Excellent definition of policy scope Broad definition of policy scope Good definition of policy scope Adequate definition of policy scope Inadequate or incomplete definition of policy scope 10 Responsibilities Comprehensive description of roles and their responsibilities Very good description of roles and their responsibilities Good description of roles and their responsibilities Adequate description of roles and their responsibilities Inadequate or incomplete description of roles and their responsibilities 20 Requirements and Exemptions Comprehensive description of all requirements necessary to satisfy case study problem Very good description of most requirements to satisfy case study problem Good description of many requirements to satisfy case study problem Adequate description of some requirements to satisfy case study problem Inadequate or incomplete description of requirements that fails to satisfy case study problem 40 Glossary Comprehensive glossary that defines all terms and acronyms used Very good glossary that defines most terms and acronyms used Good glossary that defines many terms and acronyms used Adequate glossary that defines some terms and acronyms used Inadequate or incomplete glossary that fails to define all terms and acronyms used 10 Referencing and Presentation Up to 5 marks may be deducted for incorrect or incomplete referencing in numbered IEEE format Up to 5 marks may be deducted for poor presentation, spelling and grammar PRESENTATION back to top When submitting your assignment be sure to meet the following presentation requirements: · Assignments are required to be submitted in a Word format (.doc, or .docx) only. Each assignment must be submitted as a single document. · Assignments should be typed using a 12 Point Font, Times New Roman/Arial and 1.5 Spacing. · This assignment should be referenced using the numbered IEEE style format.