Assignment Brief and Guidance
Bombino is an international courier company well known as the most reliable delivery company in the world. A large number of high-profile business entrust Bombino to deliver their goods including Banks to deliver credit cards,
Ecommerce business to deliver goods of all types including high value electronics and governmental agencies like hospitals and embassies to deliver medication and documents respectively. Customers are offered online service to track their shipments, and request pickups. They can also pay for their
Bombino Datacentre located in Jordan. They have branches in France, Saudi Arabia, Egypt, and USA. As a standard, each branch will have a warehouse that processes physical shipments using a conveyer system that sorts shipments by area. Besides, there is the office area where HR, Account, IT and Management sit, next to a computer room that processes local shares, print servers and connectivity with Jordan datacentre to access the Main tracking system and accounting application; Last there is a warehouse for items storage, with in/out requests received by customers to be delivered to their outlets.
Bombino is planning to move their main tracking application to the cloud in a hybrid model architecture (some other applications will be still hosted on premise). However, they are having security concerns around the move
of apps and data under a cloud provider after being hosted on premise for a long time.
You are hired by the management of Bombino as Information Security Risk Officer to evaluate the securityrelated specifics of its present system and provide recommendations on security and reliability related improvements of its present system as well as to plan the move to the cloud.
Part of your responsibilities is to ensure the confidentiality, integrity, and availability (C.I.A) of the data and related services, also your responsibilities extend to the Safety (S) which is very related to the nature of the industry you are in. You did a security check on most of the applications, systems, policies & procedures, and devices and noticed the following:
1- Not all existing devices (endpoints) within the offices are well secured.
2- One subnet is used for all devices in all monitoring stations.
3- Data processed by conveyer system (related to the shipments) in each branch well be uploaded to the system on the cloud via Internet connection and will be stored there in a database server for analysis and reporting. The transmission of data is done through a published web application over the Internet (front-end back-end architecture). Such information should be highly secured since it is considered of customer privacy and protected by law and regulations.
4- Customers are able to create profiles on an online tracking system hosted on premise and to be moved on the cloud. Such profile contains some personal and private information that should not be disclosed to other parties.
5- When you checked the current data centre as well as the warehouse in each branch, you noticed that the door is easily opened. So, shipments, servers and networking devices are easily accessed by anyone.
You also noticed that the humidity and temperature inside the servers’ room are not well controlled.
6- Some employees have VPN access to the data centre to run some applications remotely.
7- Some other third parties are granted VPN access for support reasons, like the companies that provided and installed the conveyer system.
8- Very minor security procedures taken by Bombino as well as some misconfigurations on some network security devices like firewalls and VPN.
Your manager asked you to prepare a detailed report and a presentation regarding IT security for Bombino services and environment in general. The report is to be submitted to and discussed with the CEO to get approval
for further security policy enforcement. In your report you should:
A. Discuss IT security risks that might put the customers’ and Bombino’s data into danger, taking into consideration all data situations (being entered, transmitted, processed, and stored). Your discussion should include:
1. Identifying those IT security risks from 3 different business stakeholders point views (CFO, CEO, COO, CHRO, etc)
2. Proposing a method to assess and present them to the 3 selected stakeholders.
3. Proposing a method to treat them.
B. Discuss risk assessment procedures
C. Explain how you can take benefit of the ISO risk management methodology (ISO 31000) by summarizing it and highlighting its application in IT security of this project.
D. Recommend ways to improve Bombino IT security via:
1. Describing different security procedures that Bombino could apply to protect customers & business critical data and equipment.
2. Explaining data protection processes and regulations that might help Bombino to enhance IT security.
3. Discussing the benefits of IT security audit and its impact to Bombino IT security.
E. Discuss, in details, the security impact of any misalignment of IT security with Bombino policy.
F. Design and implement a security policy for Bombino.
G. Evaluate the suitability of the tools used in this policy
H. A discussion of the roles of stakeholders in the Bombino to implement security audit recommendations.
I. List the main components of an organisational disaster recovery plan, justifying the reasons for inclusion.
In your presentation, you should be able to cover the followings in front of your manager:
1. Identify and discuss the potential impact of incorrect configuration of some network security devices on IT security.
2. Implementing different techniques in network security (such as DMZ, static IP and NAT). You should provide a detailed recommendation and explanation based on the scenario above for each technique showing how it will enhance security.
3. Discussing the benefits and justification of using a Network Monitoring Systems.
4. Evaluating a minimum of three of physical and three virtual security measures that can be employed to ensure the integrity of IT security.