Homework SourseAssume you are a security engineer for a corporation This co
Assume you are a security engineer for a corporation. This corporation has developed a classification scheme as follows:
Classification
Risk Level
Types of Data
Public
Low
Stock Reports, News Releases
Internal Use
Low
Network Diagrams, Security Policy
Confidential
Medium
System Configuration Procedures, Vulnerability Testing Results
Restricted
High
Payroll Data, HR Benefits Claims
For this assignment, put together some guidelines for the engineering teams in protecting the data types above. For each classification, what components would you require (for example, firewalls, IDS, 2 factor authentication, AV, etc..)
Reflection
What are your thoughts about your results? What are you feelings towards this assignment? How would you improve it? Submit this with your assignment
| Classification | Risk Level | Types of Data |
| Public | Low | Stock Reports, News Releases |
| Internal Use | Low | Network Diagrams, Security Policy |
| Confidential | Medium | System Configuration Procedures, Vulnerability Testing Results |
| Restricted | High | Payroll Data, HR Benefits Claims |
Solution
The following are the classifications with the suggested security components and guidelines as follows:
1. Public: Since this is a low risk classification and it contains news reports that will be viewed by the public. There isn\'t much confidential information on it. The kind of risks on such systems involve the following:
So, for protection, basic firewall can be used. It must monitor for the amount of requests from the each ip address and/or network. This would help prevent and control denial of service attacks.
Another kind of problem with such systems is that the server must give maximum uptime. It is not acceptable for a public server that hosts news, stock reports to go down often. So, backup servers must also be put up.
Therefore, basic firewall and back up systems are good enough security for such system.
2. Internal Use: Just like public servers, this is also a low risk classificatin. It contains the data to be used inside the organizatin. Such data is usually viewable by anyone in the organization. These are dumps of common data which are non-confidential but very frequently used by the people in the organization.
Following measures can be taken in such systems:
3. Confidential classification: These contain the confidential data of the organization. Only certain people are allowed to access such data. Therefore, there must be higher sercurity in such a system because it is a medium risk area.
4. Restricted: This classification is high risk area. It contains very sensitive data of the organization such as payroll data, future plans of the organization, sensitive data regarding the important personell of the organization.
Hence, the security must be very high in such a classfication:
