Creating a company culture for security design document (2022)

Scenario:

Overview: Now that you’re super knowledgeable about security, let's put your newfound know-how to the test. You may find yourself in a tech role someday, where you need to design and influence a culture of security within an organization. This project is your opportunity to practice these important skillsets.

Assignment: In this project, you’ll create a security infrastructure design document for a fictional organization. The security services and tools you describe in the document must be able to meet the needs of the organization. Your work will be evaluated according to how well you met the organization’s requirements.

About the organization: This fictional organization has a small, but growing, employee base, with 50 employees in one small office. The company is an online retailer of the world's finest artisanal, hand-crafted widgets. They've hired you on as a security consultant to help bring their operations into better shape.

Organization requirements: As the security consultant, the company needs you to add security measures to the following systems:

· An external website permitting users to browse and purchase widgets

· An internal intranet website for employees to use

· Secure remote access for engineering employees

· Reasonable, basic firewall rules

· Wireless coverage in the office

· Reasonably secure configurations for laptops

Since this is a retail company that will be handling customer payment data, the organization would like to be extra cautious about privacy. They don't want customer information falling into the hands of an attacker due to malware infections or lost devices.

Engineers will require access to internal websites, along with remote, command line access to their workstations.

Grading: This is a required assignment for the module.

What you'll do: You’ll create a security infrastructure design document for a fictional organization. Your plan needs to meet the organization's requirements and the following elements should be incorporated into your plan:

· Authentication system

· External website security

· Internal website security

· Remote access solution

· Firewall and basic rules recommendations

· Wireless security

· VLAN configuration recommendations

· Laptop security configuration

· Application policy recommendations

· Security and privacy policy recommendations

· Intrusion detection or prevention for systems containing customer data

(Video) Coursera IT Security (Defense against the digital dark arts)| Solutions | Week 6 | Final Assessment

**** This is an example*** I found same assignment on Chegg.com****

Introduction

This document describes how the functional and nonfunctional requirements recorded in the Requirements Document and the preliminary user-oriented functional design based on the design specifications.

Furthermore, it describes the design goals in accordance with the requirements, by providing a high-level overview of the system architecture, and describes the data design associated with the system, as well as the human-machine scenarios in terms of interaction and operation. The high-level system design is further decomposed into low-level detailed design specifications including hardware, software, data storage and retrieval mechanisms and external interfaces.

Purpose of the Security Infrastructure Design Document

The Security Infrastructure Design Document helps to document and track the necessary information required to effectively define architecture and system design in order to give the guidance on the security architecture of the IT environment that is going to be established.

2. General Overview and Design Approach

2.1 General Overview

The client requires an IT infrastructure to perform their business activities that involve e-commerce applications and internal VPN access for their customers as well as employees with a high priority on the security and privacy of customer information and of the client’s as well

2.2 Assumptions/Constraints/Risks

Assumptions

It has been assumed that the employees are increased by 5% every year thereby reflecting the usage of the network bandwidth and increase of the devices that are connected to the enterprise network infrastructure.

Constraints

The following are the key considerations associated with the security of the infrastructure:

· Authentication system

· External website security

· Internal website security

· Remote access solution

· Firewall and basic rules recommendations

· Wireless security

· VLAN configuration recommendations

· Laptop security configuration

· Application policy recommendations

· Security and privacy policy recommendations

· Intrusion detection or prevention for systems containing customer data

Risks

(Video) Creating a Company Culture for Security

Since the infrastructure is meant to carry out the e-commerce related transactions that may involve third party merchant authorizations and financial related issues, a strict security mechanism needs to be enforced so as to ensure that there is no such issue related in customers transactions as it may affect the reputation of the organization.

Additionally, there should be a backup mechanism to take the data backups at regular intervals to deal with any unwanted situations like system failures, attacks by intruders etc.,

2.3 Alignment with Federal Enterprise Architecture

The proposed architecture strictly complies with federal Enterprise architecture, All the protocols being used, and the hardware interfaces used compiles with the industry standards as specified so as to ensure compatibility of the networks as well as the security in compliance with CMS Enterprise Architecture (EA)

3. Design considerations

3.1 Goals:

The following are the desirable outcomes of the security infrastructure proposed to be implemented in the organization:

· An external website permitting users to browse and purchase widgets securely.

· An internal intranet website like that of a VPN for employees to use

· Secure remote access for engineering employees

· Reasonable, basic firewall rules

· Wireless coverage in the office

· Reasonably secure configurations for laptops

· Privacy of the user data

3.2 Architectural Strategies

For external website to perform purchase activity by customers:

In order to provide a secure e-commerce transaction, the following are the primary which security goals include:

· Protecting confidentiality of the data

· Making sure that unauthorized persons or systems cannot access the information of users;

· Making sure that the information accessed is genuine;

· Making the data accessible and usable;

· Logging the transactions for further reference and support activity

· Verifying the authenticity of a person to perform a transaction.

1. For intranet website accessed by employees:

Since the data is accessed by the company employees only it should be only available to company’s level of access making it private from other information being maintained on the infrastructure So,the following are the considerations in this case:

· Making sure that the access is within their intranet by implementing a firewall mechanism

(Video) Creating a Company Culture for Security | IT Security | Coursera |Final Quiz Solution | Week 6

· Specifying the authentication mechanism to access the website by the employees

· Supervising the activities and user management on the website by an administrator

1. Secure remote access for engineering employees

We can perform safe implementation of remote access control objectives based on the following security considerations:

Device type: What device types require remote access?

Role: What remote access is appropriate for that role given the device used?

Location. Is access from a public location, another company site, internal wireless, etc.?

Process and data: What processes and data are accessible given the first three access characteristics?

Authentication method: Does the need for strong authentication increase based on the device used, where it is used, and what it is allowed to access?

1. Basic firewall rules to be implemented:

Block by default – to block all incoming and outgoing connections

Allow specific traffic – only allow specified IP addresses

Allow Inbound-only allowing intranet users

1. Wireless coverage in the office

Can be provided with an 802.11 WLAN adapter/router with PSK(pre-shared key) configuration or a login based limited access to company WIFI by the employees

Security considerations: Should be Password protected and metered

1. V-LAN Configuration:

VLAN network segmentation creates security zones that enables flexible and strong control of what a remote user can access. security zones separating incoming traffic from internal resources. Using dynamic VLAN assignments and access control lists, we can control user access based on the conditions

1. Laptop Security configuration:

One of the most vulnerable parts of the infrastructure is the laptop computers that employees use. These devices can be responsible for bringing in viruses or malware or causing the organization to lose sensitive data. This can be checked using the techniques such as:

· Encrypting the disks on the laptops

· Ensuring Antimalware/Antivirus are up to date in regular intervals

· White listing the devices on the network

· Running a product such as System Center Configuration Manager, LANDesk, Altiris, or some other systems management platform

1. Application policy recommendations

· Integrate secure coding principles in all software components of infrastructure.

(Video) Creating a Company Culture for Security Week 6 | IT Security Defence against the digital dark arts ✔

· Perform automated application security testing as part of the overall application testing process.

· Development and testing environments should redact all sensitive data or use de-identified data.

· Compliance with industry standard data policies and protocols

1. Security and privacy policy recommendations

Explain How the organization Collects and Use Personal Information

· Cookie Policy – Cookies are used to store user preferences or shopping cart contents. Clearly explain your cookie practice.

· How organization will Share Customer Information – Customers need to know that their data will only be used to complete the transaction and that any further use of that data (including selling or distributing it) requires their consent.

· Contact Information – Make it easy for your customers to contact you or file a complaint.

Display Privacy Policy Make sure new customers or users have easy access to your policy mandatorily

Publish Email Opt-Out Policies – Include opt-out options in your email marketing

Get a Seal of Approval – Third party validation of your online privacy and security policy can enhance your credibility. And trust of security

Intrusion detection or prevention for systems containing customer data

As the demand for E-Commerce grows on the Internet so will the increasing potential for E-Commerce sites to be attacked. Implementing security methodologies pertaining to an E-Commerce environment is not a simple thing. It should consider various threats and anomalies that can cause an attack. This can be achieved though penetration testing and reverse engineering to detect by signature or by an anomaly. This can be achieved by a third-party IDS system readily available in the market

Summary

Thus, we can conclude the report of the security infrastructure of the organization has been assessed and recommendations were made as required for the proposed environment as specified

Key assets being protected:

Customer information, Company related information

Key threats to protect against:

Intrusion to website, Data Loss

Key activities to protect against:

Customer purchase of artifacts, payment transactions, employee data

Relative ranking of fundamental security goals:

This is an important exercise for every organization as part of the risk mitigation planning process. For this project, the ranking came out like this:

Confidentiality: high

Integrity: high

Availability: medium

(Video) Creating a Company Culture for Security || Week 6 || Quiz || Coursera

Auditability: medium

Nonrepudiation: N/A

FAQs

How do you create a corporate security culture? ›

How to Foster a Positive Security Culture in Your Organization
  1. Create Simple, Transparent Information Security Policies. ...
  2. Empower Employees with Security Awareness Training. ...
  3. Make Information Security a Company Priority. ...
  4. Reward Employees for Contributing to a Positive Security Culture.
9 May 2022

What is a security design document? ›

Security infrastructure design documentation aims to capture and monitor all the necessary data for effective architecture design and the subsequent formation of a security architecture management system for enterprise IT.

What is the first step in performing a security risk assessment? ›

Download this entire guide for FREE now!
  • Step 1: Determine the scope of the risk assessment. ...
  • Step 2: How to identify cybersecurity risks. ...
  • Step 3: Analyze risks and determine potential impact. ...
  • Step 4: Determine and prioritize risks. ...
  • Step 5: Document all risks.

What is the security culture framework? ›

The Security Culture Framework is a free and open framework, methodology and philosophy to work with security culture. Created by Kai Roer, Chief Research Officer at KnowBe4 and maintained by a global community, the SCF is used by hundreds of organizations around the world to build and maintain security culture.

What is the meaning of security culture? ›

Security culture refers to the set of values, shared by everyone in an organisation, that determine how people are expected to think about and approach security. Getting security culture right will help develop a security conscious workforce, and promote the desired security behaviours you want from staff.

What are the 3 types of infrastructure security? ›

Access Control: The prevention of unauthorized users and devices from accessing the network. Application Security: Security measures placed on hardware and software to lock down potential vulnerabilities. Firewalls: Gatekeeping devices that can allow or prevent specific traffic from entering or leaving the network.

How do you build a resilient information security infrastructure? ›

Build with resilience
  1. Having a backup power generator.
  2. Developing a business continuity plan.
  3. Building with materials appropriate to the area's natural risks.
  4. Implementing annual cybersecurity training for employees.

How do I design an authentication system? ›

How does it work?
  1. Get the username and password from user.
  2. Set it in request form params and send it to the server.
  3. Server validates the user based on the given username and password
  4. Once successful validation, create a cookie and set it in the response.
  5. The client then uses this cookie/session to make future requests.

Which documents are required for the security design review? ›

The Project Manager must provide the VA Coordinator will the approved DAD and all other design and related security documentation prior to the assessment, including (but not limited to) the Information Security Classification, Network Diagrams (Visio); and other relevant documentation, as identified by the VA ...

What does Google use for security? ›

We use multiple physical security layers to protect our data center floors. We use biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection systems. For more information, see Data center security. We also host some servers in third-party data centers.

HOW IT security measures are taken by Google? ›

We safeguard your data.

We name these data chunks randomly, as an extra measure of security, making them unreadable to the human eye. While you work, our servers automatically back up your critical data. So when accidents happen — if your computer crashes or gets stolen — you can be up and running again in seconds.

What are the 3 steps of security risk assessment? ›

A successful data security risk assessment usually can be broken down into three steps: Identify what the risks are to your critical systems and sensitive data. Identify and organize your data by the weight of the risk associated with it. Take action to mitigate the risks.

What is a risk assessment framework? ›

A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure. A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand.

How do you measure security culture? ›

We measure security culture by gathering a lot of qualitative data to understand why people are doing what they're doing. It goes back to the classic “start with why,” and then crunching numbers from surveys. We use grounded theory to qualify the data we get back.

What are the three main goals of security? ›

Security of computer networks and systems is almost always discussed within information security that has three fundamental objectives, namely confidentiality, integrity, and availability.

Why is a strong security culture important? ›

Secure Workforce: The stronger your security culture is, the more likely your workforce will exhibit secure behaviors, and as a result your organization will be far more secure. This is critical in today's environment. The 2021 Verizon DBIR identified people were involved in over 85% of all breaches globally.

What is the purpose of developing a culture of security in an organization? ›

Creating a culture of security is crucial to making sure your organization is implementing the necessary tools and processes to minimize risk. This culture is driven from the top down through executive decisions and internal promotion of effective cybersecurity processes and procedures.

What is security risk culture? ›

Policy drives and sustains corporate security risk culture, which is the individual and organizational DNA that represents the tendency to want to do the right thing in the right way at the right time, even if no one is looking.

Which three things work together to secure an organization's environment? ›

When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.

What are the 4 objectives of planning for security? ›

The Four Objectives of Security: Confidentiality, Integrity, Availability, and Nonrepudiation. Roles and Responsibilities.

What are the 6 types of security? ›

What are the 6 types of security infrastructure systems?
  • Access Controls. The act of restricting access to sensitive data or systems enables your enterprise to mitigate the potential risks associated with data exposure. ...
  • Application Security. ...
  • Behavioral Analytics. ...
  • Firewalls. ...
  • Virtual Private Networks. ...
  • Wireless Security.
22 Feb 2022

What is Siem stand for? ›

Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources.

How is resilience different from security? ›

The measures under the “security” list are about locking up. Those under “resilience” are about standing up. Security is about hunkering down. Resilience is about doing business.

How would ensure build a safe and secure infrastructure build? ›

How to Make Your IT Infrastructure More Secure
  1. Have experts conduct an IT assessment/audit and planning. ...
  2. Create and enforce IT security policies. ...
  3. Enforce a strong password policy. ...
  4. Back-up your data. ...
  5. Always update your anti-virus software. ...
  6. Update workstations and software. ...
  7. Update your firewall.

What is security resilience? ›

Security resilience enables organizations to protect the integrity of business amidst unpredictable threats or change.

How do you design token based authentication and authorization? ›

Accessing Resource Flow

Decode first (header) part. Check it's alg and type. Using the defined algorithm, try to re-sign the token using shared defined secret_key or private key so it generates the signature part. Check if the generated signature part equals to the third (signature) part.

What are the common authentication types and when do you use them? ›

What are the types of authentication?
  • Single-Factor/Primary Authentication. ...
  • Two-Factor Authentication (2FA) ...
  • Single Sign-On (SSO) ...
  • Multi-Factor Authentication (MFA) ...
  • Password Authentication Protocol (PAP) ...
  • Challenge Handshake Authentication Protocol (CHAP) ...
  • Extensible Authentication Protocol (EAP)
30 Sept 2020

What makes a good security culture? ›

The biggest drivers of your security culture are often your security policies and how your security team communicates, enables and enforces those policies. If you have relatively easy to follow, common sense policies communicated by an engaging and supportive security team, you will have a strong security culture.

What are the benefits to a company and to individual employees of creating a culture of cybersecurity? ›

A cyber-savvy mindset and cyber secure culture help deliver growth through digital trust, improve an organisation's reputation with customers and build employee pride.

What role do the employees of an organization play in achieving a strong security system? ›

Every employee in every department has a role to play in keeping the company secure. At the very least this includes awareness of the risks and basic security practices, such as keeping an eye open for phishing emails, being wary of possible social engineering schemes, and using strong passwords.

What are the three main goals of security? ›

Security of computer networks and systems is almost always discussed within information security that has three fundamental objectives, namely confidentiality, integrity, and availability.

What is the purpose of developing a culture of security in an organization? ›

Creating a culture of security is crucial to making sure your organization is implementing the necessary tools and processes to minimize risk. This culture is driven from the top down through executive decisions and internal promotion of effective cybersecurity processes and procedures.

Which three things work together to secure an organization's environment? ›

When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.

How do you create a cyber security culture? ›

Create a cybersecurity culture by weaving cybersecurity through organizational procedures and practices, and maintaining an active conversation.
  1. Be honest. ...
  2. Outline the mission. ...
  3. Win executive support. ...
  4. Win employee support. ...
  5. Define roles and expectations. ...
  6. Invest in training. ...
  7. Keep score. ...
  8. Create a lively conversation.

What are the major components of a cybersecurity culture? ›

The 7 Elements of an Organization's Cybersecurity Culture
  • Leadership. Leadership support is paramount to a strong security culture. ...
  • Cross-Functional Liaisons. ...
  • Education. ...
  • Employee Relevance. ...
  • Attitudes and Actions. ...
  • Ecosystem. ...
  • Metrics.
6 May 2021

What is security culture and awareness? ›

Security culture is a wider concept than security awareness; encompassing not only knowledge of security risks but, a total of 7 key dimensions: attitudes, behaviors, cognition, communication, compliance, norms, and responsibilities. At CLTRe, we consider awareness and knowledge as a part of cognition.

What is the most important aspect of security? ›

Physical security is the most important aspect of overall security.

How can security be improved in an organization? ›

14 Ways to Improve Data Security of Your Organization
  1. Take inventory. ...
  2. Pay Attention To Insider Threats. ...
  3. Train Your Employees. ...
  4. Limit Employee Access To Data. ...
  5. Encrypt All Devices. ...
  6. Testing Your Security. ...
  7. Delete Redundant Data. ...
  8. Establish Strong Passwords.
8 Sept 2021

How can corporate security be improved? ›

6 Ways to Improve Your Small Business' Security
  1. Regulate access. ...
  2. Do a building check before and after work. ...
  3. Upgrade your doors, windows, and locks. ...
  4. Shred important documents before disposing of them. ...
  5. Prioritize cybersecurity. ...
  6. Develop a response plan.

Videos

1. Complete Solution Week 6 | IT Security Defense against the digital dark arts | Last Assignment Clear
(Tech Donor)
2. 8 Simple Steps to Developing Policies and Procedures
(Morning Meeting)
3. Creating a Company Culture for Security | Google IT Support Certificate
(Google Career Certificates)
4. Leveraging Organizational Change to Build a Strong Security Culture
(SANS Institute)
5. IT Security: Defense against the digital dark arts | Complete Assignment & Quiz Answers | Google
(Techies Talk)
6. IT Security: Defense against the digital dark arts. Week6: Creating a Company Culture for Security
(TECH_ED)

Top Articles

Latest Posts

Article information

Author: Moshe Kshlerin

Last Updated: 11/05/2022

Views: 6379

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.