Aim Higher College has two primary datacenters on campus—the research datacenter

Question

Aim Higher College has two primary datacenters on campus—the research datacenter and the business datacenter. Due to budget and space limitations, the research datacenter is also used to house the backup systems for the business datacenter, resulting in business data being stored in both locations.

The research datacenter, shown in the diagram below, is typically left unlocked, as many students and faculty members use it for their work. The network infrastructure is not monitored, and the systems themselves are not required to be secured.

Recently, signs of after-hours access have been found in the research datacenter. Doors have been left open, lights have been on, and logins have been found on research systems. Logs indicate that local logins have been attempted on the business system consoles as well.

You have been working as a security analyst in the information security department at Aim Higher College for two months. Your manager asks you to propose a set of controls that will allow the use of the research datacenter for its intended purpose while protecting the business systems that reside there. What controls would you suggest, and why?

Write a brief security plan, labeling the diagram below, and describing what controls you would recommend, and why.

Self-Assessment Checklist

I have identified appropriate physical security controls.

I have identified administrative security controls.

I have identified appropriate technical security controls.

Length

The expected length for this assignment is 350-700 words.

Explanation / Answer

The wide use of computers in military and defense installations has long necessitated the application of'security rules and regulations.A basic principle underlying the security of computer systems has traditionally been that of' isolation-simply removing the entire system to a physical environment in which penetrability is acceptably minimized. The increasing use of systems in which some equipment components , such as user access terminals, are widely spread geographically has introduced new complexities and issues. These problems are not amenable to solution through the elementary safeguard of physical isolation.

In one sense, the expanded problems of security provoked by resource-sharing systems might be viewed as the price one pays for the advantages these systems have to offer. However, viewing the question from the aspect of such a simplistic tradeoff obscures more fundamental issues. First, the security problem is not unique to any one type of computer system or configuration; it applies across the spectrum of computational technology. While the present paper frames the discussions in terms of time-sharing or multiprogramming, we are really dealing not with system configurations, but with security; today's computational technology has served as catalyst for focusing
attention on the problem of protecting classified information resident in computer systems.

Security is everyone’s job. With simple issues like doors and access, implementing keycard access and alarms for doors that are left open is a good way to have limited access to secured areas. Utilize ID cards to enter the rooms so it can log who has been in and out of the rooms. Lights being left on are another issue that is simple to address. Lights need to be on an automatic energy saving timer. If there has been no activity in the room for 10 minutes, then the lights will go out and they will turn back on when someone enters the room or motion has been detected in the room.

Security controls applied to safeguard the physical equipment apply not only to the computer equipment itself and to its terminals, but also to such removable items as printouts, magnetic tapes, magnetic disc packs, punchcards, etc. Adequate DOD regulations exist for dissemination, control, storage, and accountability of classified removable items. Therefore, security measures for these elements of the system are not examined in this Report unless there are some unique considerations. The following general guidelines apply to physical protection.

    (a) The area containing the central computing complex and associated equipment (the machine room or operational area) must be secured to the level commensurate with the most highly classified and sensitive material handled by the system.

    (b) Physical protection must be continuous in time, because of the threat posed by the possibility of physical tampering with equipment and because of the likelihood that classified information will be stored within the computer system even when it is not operating.

    (c) Remote terminal devices must be afforded physical protection commensurate with the classification and sensitivity of information that can be handled through them. While responsibility for instituting and maintaining physical protection measures is normally assigned to the organization that controls the terminal, it is advisable for a central authority to establish uniform physical security standards (specific protection measures and regulations) for all terminals in a given system to insure that a specified security level can be achieved for an entire system. Terminal protection is important in order to:

        Prevent tampering with a terminal (in stalling intelligence sensors);

        Prevent visual inspection of classified work in progress;

        Prevent unauthorized persons from trying to call and execute classified programs or obtain classified data.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.