TASK

back to top

SoftArc Engineering Ltd (SEL) is a civil engineering company which works across Australia as well as in New Zealand, Fiji, Vanuatu, Indonesia, Timor Leste and Papua New Guinea.

SEL has a small data centre at its main site in Bathurst where the company's servers and data storage is located. The company has the following server infrastructure:

• 2 x Active Directory domain controllers on Windows Server 2008 R2, (2 x Xeon 3.6GHZ, 8GB RAM, 140GB HDD);
• 3 x SQL Server 2003 database servers on Windows Server 2003 (2 x Xeon 2.8GHZ, 4GB RAM, 250GB RAID-5 array);
• 1 x Exchange 2007 email server on Windows Server 2008 R2 (2 x Xeon 3.6GHZ, 8GB RAM, 250GB RAID-1 array);
• 4 x Windows Server 2003 File and Print servers (2 x Xeon 2.8GHZ, 4GB RAM, 250GB RAID-1 array);
• 2 x Windows Server 2008 R2 running Microsoft SharePoint 2013 (2 x Xeon 2.8GHZ, 4GB RAM, 250GB RAID-5 array);
• 2 x Red Hat Enterprise 5 Linux servers running Apache and TomCat (2 x Xeon 2.8GHZ, 16GB RAM, 140GB HDD)
• 1 x Cisco ASA 5512-X firewall running v9.6 ASA software .

The company has some 70 engineeringand support staff that work on different projects for clients in various locations in Australia and overseas. The support staff are mainly based in Bathurst, but engineering staff are located in different parts of Australia, New Zealand, an d Papua New Guinea. Most of the support staffhave access to a PC, although some support staff share a PC with other staff. The engineering staff all connect remotely to the SEL data centre from their laptops. The SEL data centre infrastructure has not been updated for some time and the SEL Board is concerned that they may be exposed to a cyber attack as they are now starting to work on various Government projects in different countries.

Tasks:

You have been employed by SEL as their first ever Chief Information Security Officer (CISO). You have been tasked by the Board to conduct a review of the company's risks and start to deploy security policies to protect their data and resources.

1. Write a policy to preserve the integrity and confidentiality of SEL data. In your policy you must:
2. Define the intent and rationale of the policy,
3. Define the scope of the policy i.e. who and what it effects,
4. Define the responsibilities of individuals affected by the policy, including those responsible for enforcing the policy, as well as those who are affected by the policy,
5. Include the mandatory requirements for the rules or actions that you think are reasonable to place into this policy to meet its intent and rationale,
6. Include any exemptions that you think are reasonable to place into this policy to meet its intent and rationale,
7. Define any terms which are used throughout the policy in a Glossary.

Your Data policy should include the following headings:

• Brief Overview
• Policy Purpose and Rationale
• Policy Scope
• Roles and Responsibilities
• Mandatory Requirements
• Exemptions
• Glossary