Case study
You have recently been appointed as the new IT risk manager of a countrywide online trading business called DirectToCust which sells items directly to the public. Its headquarters are located in Cape Town, in the Western Cape and has warehouses in Gauteng, KZN, and the Free state. The company employs over 200 call centre agents and about 10 business managers for both inbound and outbound transactions and logistics. They work both day and night shifts in an open-plan workspace of around 40 x 38 m with each agent having their own desk, networked computers and essential office stationery to conduct business.
Most, if not all, call centre agents’ desktop PCs are connected to a local network using Ethernet cabling while most line managers’ laptops are wirelessly connected to enable free movement around the premises. All the servers, switches, router, gateways, firewalls, etc., are located at the adjacent IT office and maintained by one network administrator and six support technicians (four dayshift and two nightshift), the company opted for software-as-a-service, through various cloud computing service provider for all their software needs and therefore the presence of IT personnel is for day-to-day business support only.
Before your recruitment, the company was experiencing a couple of complaints such as:
1.Theft of personal belongings during working hours.2.The network policy can be amended by IT support team without the knowledge of the IT administrator.
3.Employees spending more time on social media than working.
4.Theft of customers’ details for own and commercial use, using USB and other portable storage.
5.Infected and corrupted employees and customer database.
6.The local IT team often experience issues when communicating with the overseas cloud service provider team.
7.All employees must change their password every week, and as a result, many employees who cannot memorise their new password simply write them down for safekeeping.
8.Regular firewall breaches were observed during the last couple of months and resulting to bottleneck and unauthorised access.
9.Some employees can easily guess their colleague password to login.
10.The website was recently hacked, disfigured and propaganda message posted, and it took the local IT team 48 hours to take back control of the website.
11.Misappropriation of business funds by some employees.
Easy access to the server room and malicious reconfiguration of proxy-server mostly during nightshift.
13.Managers unable to monitor employer activities live.
14.Poor financial accountability and traceability; all managers are able to edit log files without authorisation.
15.Information and communications were being hijacked or looked into before reaching their destination.
Question 1(Marks: 50)
Using the knowledge and expertise you have accumulated from the above case study information, answer the following questions.
Q.1.1 In a 10-line paragraph, briefly explain the overall of IT security and why it is important to always align IT/IS strategy and business strategy.(8)
Q.1.2Exploring the role and importance of the commission for the investigation of abuse of authority (CIAA) within an enterprise, and on a scale of 1 to 10, how do you rate Direct To Cust data security approach and implementation?(8)
Q.1.3As the new DirectTocust IT risk manager, how will you balance the right of staff privacy, the company network and physical security?(8)
Q.1.4The use of Adhocnetwork as presented above presents other security challenges; explain how you will make sure that wireless connectivity does not lead to network breaches.(8)
Q.1.5As the new DirectTocust IT risk manager, how will you protect the information and communications from being looked at during transmission before they reach their respective destinations?(8)
Q.1.6Based on the above case study, demonstrate how internal IT and network risk policies can play an important role in combating staff’s lack of organisational compliance. (10)
Question 2(Marks: 50)Write a report which, if implemented, will address all the issues identified in the case study. The report must have the following structures:
Q.2.1Your report must be structured in the following approach.
Q.2.1.1Executive summary.(5)Q.2.1.2Background (case study’s IT security issues only).(5)
Q.2.1.3Development of the proposed solution. (5)Q.2.1.4The role of IT risk manager in addressing physical and network risk.(5)
Q.2.1.5The best methods of combating network-based attack.(5)
Q.2.1.6The impact of social engineering when combating network security.(5)
Q.2.1.7The most appropriate mechanism in implementing network access authentication and authorisation without compromising network security. (5)Q.2.1.8The implementation of the best strategy to fight against hacking, hijacking and maintain the online presence.(5)
Q.2.1.9The most appropriate location and strategy for the DMZ and firewall implementation.(5)
Q.2.1.10Conclusion.(5)[TOTAL MARKS: 100]
