You have been employed as a Junior Network Security Specialist for Phaeton Security Solutions Limited (PSS). PSS provides network security solutions for a range of clients from multiple industry sectors. The services offered by PSS include:

Providing a security audit of an organisations network in the context of its business

requirements

Reviewing and recommending improvements to an organisations network security

Implementing network security solutions.

PSS usually has large, multinational corporations as their clients, but the CEO has received an unusual request from a new client and has decided that this would be an ideal project for you to handle by yourself.

The client is the Dowding Federation, an Academy chain consisting of three sixth-form colleges (SFC). The Dowding Federation has a chief executive officer and manages an educational budget of UKP 16.4 million.

One of the colleges that is part of this chain is Wargrave College, a large SFC with 2000 students that specialises in computer science, maths, and engineering.

Wargrave College has 65 members of staff, both teaching and non-teaching, and has an operating budget of UKP 5.3 million.

All staff data, both personal and for payroll, are kept on dedicated Human Resource (HR) servers located within the Network Server Room.

All student data is kept on the college Student Information System (SIS), which contains data such as:

Contact details for students and parents

Medical history and other sensitive information

Assessment data from homework and examinations as well as historical GCSE data

Attendance data Present/Not Present/Authorised Absent for all lessons while at college

Any Special Educational Needs (SEN) data.

All college files were on a shared public access fileserver. This contained all educational resources created by teachers and areas for students to upload and download coursework assignments and homework.

Students logging in to any computer on the college network had Read Access to the fileserver; teachers had Read/Write access.

The college maintained its own email exchange server, holding all staff and student emails as well as historical emails from all previous years.

The email server, file server, backup NAS drive and Network Domain Server were in a non-secured room in the IT Technicians office. This room was never locked in case staff or students needed IT support.

The college had a Virtual Learning Platform (VLP), that provides a web interface to the fileserver and provides a way for students to access course materials.

The college computers ran older versions of Windows 8.1, as it was determined to be too expensive to migrate to the current version of the software.

To save money, a freeware VPN had been set up to allow teachers to access college materials from home using college laptops installed with a VPN client software. It was still possible for staff members to access the fileserver directly using Remote Desktop.

Since the college was deemed to be at a minimal risk of cyber-attacks, most of the security countermeasures were designed to minimise the threat from malicious damage from students:

All IT labs were locked and cannot be opened without a swipe card

College policy was that no student can be in an IT lab unsupervised

Virus scanners had been configured to automatically scan any USB drive plugged into a device

All optical drives had been removed from each college computer.

An Acceptable Use Policy was created for students (see Appendix 1). Staff were not considered a security threat, so no staff policies were created.

Similarly, the college had a simple firewall, however, this was configured to just block attempts at network intrusion from known malicious blacksite IP addresses.

The Federation CEO deemed the college to be a low-priority threat, and data backups involved a single 8TB Network Attached Storage (NAS) Drive, where data was backed up each week.

Security procedures were not strictly followed as it was thought there was no requirement because the college was a soft target.

Assignment activity and guidance

Activity 1

Produce a formal report(with supporting notes) on a review of the range of IT security threats that are faced by an organization like Wargrave College, and describe and evaluate the range of countermeasures, both physical and virtual.

Your report should include a section on security risks, including:

A discussion of the different types of security risks to an organisation like Wargrave College.

An assessment of the organisational security procedures presented in the given scenario (Appendix 1 Current Security Policy for Wargrave College).

An analysis, with reasons, of the benefits of implementing network monitoring systems. you should discuss a range of security countermeasures for the identified risks, including the following.

A discussion of the potential security impact of incorrect configuration of:

o Firewall policies

o Third-party VPN clients and servers.

A discussion, using a specific example from either your research or the Wargrave College scenario, of how implementing each of the following can improve network security:

o A De-Militarized Zone (DMZ)

o A Static IP

o Network Address Translation (NAT).

A proposal for a method to assess and treat IT security risks.

An evaluation of the range of countermeasures that can be employed to make sure that an organisations integrity is not compromised. Organisational Integrity could be either Data Security or Operational Continuance. Make sure that you include both physical and virtual security countermeasures.

You should support any points you make in the presentation with well-chosen examples from any research you have carried out on related sectors or security scenarios.

Activity 2

Produce a process review document on all the processes required in Activity 1. Your process review should include the following.

A review of the current risk assessment procedures in Wargrave College (Appendix 2 Risk Assessment).

A report on Activity 1.

An explanation of data protection processes and regulations applied to Wargrave College

A summary of an appropriate risk-management strategy or applied ISO standard and its application to IT security at Wargrave College

An analysis of possible impacts on security at Wargrave College following an IT security audit.