Technology

Information technology is a very important functional component of organizations in the modern world which has been driven increasingly by competition. The ability to have timely access to data and processed information for strategic decision making is imperative. However, with so many different people requiring timely access to data, it has become very important to place restrictions on the manner and level of access of data that users are granted.

Specifically this calls for applying segregation of viewing rights and manipulation of data depending on the seniority or relevance of data to the particular user. From an information technology perspective, the task is to apply rights to groups of users sharing the same level of data accessibility and usage rights. The simplest example of such a relevance-based segregation of data is when two users share a file out of which one has the ability to read data only while the other can modify it. Essentially, building groups of users with permissions restricted to their job description is the most optimal method of managing data and ensuring that its integrity and usage is not violated. This paper will be discussing in detail the policies and methodologies that IT managers and administrators can use to control the way in which the employees of an organization are able to access and use data.

 The environment has been assumed to be that of a company employing 12 workers that need access to the network resources. However, these workers fall into three categories, sales, offices and design team all structured at two different levels within groups. This makes a total of six different user groups each with their own levels of permission related to the kind of data they can access and the functions that can be performed on the data.

Task A
The primary task for the system administrator would be to create user accounts of 13 persons on the domain. This would include the 12 workers and an Administrator account. The Admin account will have all rights granted while the 12 workers will be divided into three user groups depending upon their job roles.

The next step would be to create user groups by accessing the domain through the Administrator account. The three groups would be created as follows
Sales
Offices
Design Team

The three groups would have four workers assigned to each of them. The sales team would have four workers out of which two will have a managerial status and the other two would have an entry-level status. The basic distinction between these two sub-groups would be of viewing the top level of data from a managerial decision making perspective. The entry-level workers would be able to enter data into the system and make changes to it as long as the files are not closed by the managers.

However, the manager level workers would be able to view reports and analytical views of the data entered into the system so that they are able to make meaningful output of the data entered into the system. The catch here is to create six sub-groups belonging to three major groups with segregation of roles.

It is however, not very advisable to make six sub-groups of users with each having a limited access of data in their own domain. In this increasingly era of competition and collaboration, it has become entirely necessary for data to be available to managers from a whole many domains and areas. Thus, it is necessary for the managers of the sales department to have access to certain amount of offices data however, with the ability to view it and make decisions using it, rather than modifying it. This requires for the following user-groups to be created

Group 1 Managerial access to sales, offices and design team data.
Group 2 Data entry level access to sales data.
Group 3 Data entry level access to offices data.
Group 4 Data entry level access to design team data.

While there will be six employees in Group 1, there will be two workers in each of the three groups who will have different controls on the domain level to enforce user access rights and permission.

Task B
The best practice for username selection on a domain is to use a standard the standard could be variable but has to be consistent. The company could use a policy of using the first name and last name in combination with a dot in between to form the username of the employee. That way most usernames would be unique unless two employees with the same name and surnames perchance to be there. However, the chances of such repetition amongst twelve employees are remote but not impossible. In case of such an incident, the employee who came into the organization later would have a two-digit number of choice applied towards the end of the username to differentiate it and make it personalized. Example

Two workers with the name John Smith (which is relatively a common name) could have the following usernames
John.Smith
John.Smith12

The domain usernames would function on the email DNS as well. This means that the John Smith in context would have the email address  HYPERLINK mailtoJohn.Smithdomain.com John.Smithdomain.com. Password policies would be put in place such that the minimum size would be 8 characters. The following controls would be put into place
Minimum password length
Password change intervals
Use of special characters (e.g. prohibited passwords, required letternumberspecial character combinations)
Minimum number of unsuccessful access attempts (Account lockout)
Password resets.

Printing rights would only be assigned to Group 1 users allowing to the sensitivity of data. The other groups would not be allowed direct printing. However, print commands for them would be sent by the Administrator after authorization by the Group 1 respective head. The organization would enforce a system of safeguarding self-privacy by ensuring that employees take care of their usernames and passwords. Confidentiality would be an organizational culture element and accountability would be a strong principle used to determine the impact of actions of employees.

Task CThe following policies and controls would be implemented at the domain level
Control descriptionThe organization has controls in place to ensure proper management of data access settings (e.g., data file permission).Procedures to test the operating effectivenessExamine authorization and permissions on critical data files and directories of each relevant application.Direct Data accessDetermine that security policies and procedures for direct data access (i.e., access bypassing application controls) have been designed and are reviewed.Organizational SegregationDetermine that the established organizational segregation of duties is maintained within the IT-environmentSecurity LogsDetermine that procedures are in place to log security activity and identify potential violationsMonitoring of LogsCheck that security logs and user activity logs are indeed continued monitored in accordance with the defined procedure and, if applicable, that violations are properly acted upon  escalated.

Review system configuration settings to check if auditing is being carried out at domain and application level.Powerful System Level IDsAccess to powerful system level IDs (i.e., root, system administrator, security administration ids, database administration ids) for in-scope systems is appropriately restricted to personnel based on their job function. All access to powerful system level IDs is logged and recorded for appropriate review.

Change ManagementInquire of System Administrator regarding whether Operating System and infrastructure changes are approved by appropriate IT Management prior to implementation in production and whether the documentation and approvals are retained.

Inspect Change Request Form for Operating System and infrastructure changes to determine whether approvals are documented in the form.User Acceptance TestsInquire regarding whether user acceptance testing is performed prior to implementation in production.Evaluating User Acceptance TestsInspect UAT and determine whether user acceptance testing was performed and sign-offs indicating successful testing were obtained prior to implementation.Test EnvironmentInquire of IT Management and Application Administrator for Application Name  System  Infrastructure regarding whether the firm maintains a test environment separate from production where Application Name  System  Infrastructure changes are tested.Test Environment ExecutionInspect production and test environments for the in-scope applications to determine whether a test environment separate from production is used for the execution of testing program changesMigration of DataInquire as to the entitys process for migrating changes to the production environment.

Inspect the list of change management personnel authorized to implement changes to production librariesdirectories and determine whether the listed users are appropriate.

Recording of Change management and data migration from the production environmentInspect relevant documentation for each selected change to determine whether changes were recorded and properly authorized prior to migration to production.BackupsBackup media is stored in a secure area in the data center before being moved to offsite storage.

Backups are sent to a facility is sufficiently remote from the client location and the ability to recall backups is limited to authorized personnelDisaster Recovery ProtocolDetermine that a BCP, BIA and DRP have been made and review their content. Assess whether the issue of testing the BCP once a year has been addressed.Disaster Revoery Protocol TestingReview the content of BCP, BIA and DRP for appropriateness.Review test results of BCP tests that have been performed. Determine that a test is performed on a yearly basis.