3. 3
Security Policy Workstations & Domains……………………………………………………………………..46-53
Server Security Policy…………………………………………………………………………………………..54-60
Disaster and Recovery Policy………………………………………………………………………………….61-67
Client Configuration……………………………………………………………………………………………..68-69
Test Plan…………………………………………………………………………………………………………70-71
Back up Policy…………………………………………………………………………………………………..72-75
System Lockdown………………………………………………………………………………………………76-79
Computer Training Policy………………………………………………………………………………………80-82
Mobile Computer Policy………………………………………………………………………………………..83-88
Hardware Description………………………………………………………………………………………….88-100
Software Description…………………………………………………………………………………………101-104
Conclusion………………………………………………………………………………………………………….105
4. 4
Project Description
Our purpose is to provide high quality network and hardware solutions for Nature’s best. First thing we
will do is provide a budget plan for the labor and materials for the project. Next we will be setting up the
hardware and software in the main headquarters which will include the cabling, workstations, servers and
the call center. We will then move onto the four branches,each branch will be set up the same way with a
file/print server,two high speed network printers/copiers/scanners, fax machine, voice messaging and ten
workstations. The design should ensure sufficient system capability and capacity to provide a centralized
solution and provide a proportionate network infrastructure which will provide a data storage solution for
the branch offices. All client information and services will be hosted at the Brea office central
headquarters.
Project Objectives
Network Guardians objective is to provide state of the art IT Equipment and solutions to our
clients to ensure a cost effective network infrastructure and meet the requested timeline of the
engineered design for the company. Also help meet the company expectation for expansion. Each
retail store personnel will have one administrator, two to four cashiers and four to five stockers.
While the headquarters will house a president, officers, receptionist, IT department and 75
warehouseman and the call center will have 20 agents and one to two supervisors. We will
implement hosting for data communications and data storage within the Brea Headquarters with
consideration for growth expectations within each retail outlet.
This project will meet the following objectives:
Improved Network Capability
Improved Network Infrastructure for High Speed/low bottleneck chances
Backup & Recovery Plan/ Business Continuity plan
All hardware and software will adhere to laws, regulations and codes
Implement Voice-to-Pick System for improved picking rate and speed.
Implement (WMS) software to improve overall Warehouse Performance & Productivity
Design for Growth Expectation
Project Scope
The scope of this project includes and excludes the following items:
In Scope:
Implement a Security, Disaster Recovery, and Risk Analysis compliant by the PCI-DSS. Setup
network infrastructure and connectivity for each retail store. Provide off-site storage solution for
backups and easy data access back to the retail branches.
5. 5
Modernize IT Hardware & Software.
Ensure sufficient system capability and capacity for all 4 retail locations to provide centralized solution
for data storage and management.
Training of current IT staff to maintain the newly implement network
Implement call center in the Brea California Headquarters.
Out of Scope:
Design of new conveyer belt
Removal of obsolete equipment & Software
Responsibility of Physical security of Headquarters and (4) retail store buildings
Major Deliverables Produced:
Finalize Charter with approval
Finalize Network Layout with approval
Complete testing of Hardware & Software with no failures
Finalize implementation of the Network Infrastructure & Go live
Stakeholders:
The impact of this project on other organizations needs to be determined to ensure that the right people
and functional areas are involved and communication is directed appropriately.
Stakeholder How Are They Affected, or
How Are They Participating?
Internet Service Providers
Ensure there is enough Bandwidth to
accommodate the network
Network System Administrator
Over sees the network services and
maintenance is working properly.
IT Department
Responsible for monitoring the network
infrastructure.
6. 6
Employees
Will be using the workstations to process orders
and use the Network services.
Supervisors
Oversees function of the Warehouse are met
and supervise employment
Truck Drivers
Responsible for shipping orders to retail stores in
a timely manner
Call agents Responsible for Customer service inquiries
Food Manufactures Manufacturer of food products to the Company
Back Haul Contractors Provides backhaul loads for Truck Drivers
Requirements:
Access for employees and faculty personnel to network services.
Implement fully functional servers that host banking software that track clients, demographics,
accounts, and statement information that also hosts business management applications for
accounting, HR,and other asset- management tools and also provide necessary network services
for Active Directory, DNS, and DHCP,and online ordering.
VoIP Phone service (Cisco)
Voice messaging with forwarding services
Network devices for LAN and Wan connection (router, firewall, switch etc.)
Portable scanning devices to update shelf/stock inventory
Implement 10 workstations at each retail store.
Design for expansion
Acceptance Criteria:
Requirement will be first drafted and viewed by Senior IT management that all requirements are
met for Nature’s Best Corporation to implement the network infrastructure.
Once approved by Senior IT network Administrator that all requirements are met we will escalate
to the Owner(s) of Nature Best for final approval.
7. 7
Project Estimated Effort/Cost/Duration
Estimated Cost: $587,474.75
Estimated EffortHours: 2500 Hours
Estimated Duration: 3 Months and 12 days
Milestone
Projected
Completion
Date
Deliverable(s) Completed
Project Planning 12/17/14 Project Charter
Schedule
WBS Dictionary, WBS Diagram 1/7/15 Provide work WBS
WBS Tree Structure
Budget Bill 1/14/15 Estimated Cost
Hardware/Software/Labor
Quality & Change Plans 1/21/15 Create Quality & Change
Plans
Risk Management Plan 1/28/15 Create Risk Management
Design Network Infrastructure 1/28/15 Blueprint of Network
Final review of approval by
Nature’s Best President
2/1/15 Approval to implement
Network Design
Start work cabling of buildings 2/15/15 Interior wall cabling of Cat6
Servers installed and tested 2/20/15 Installed servers and
working with no failures
Workstations installed and tested 3/1/15 Printers, workstations, and
stations working properly
and on appropriate network
segments
Hand over system to client/Go Live 3/5/15 Train IT on the system/Go
Live
8. 8
Project Assumptions
Certain assumptions and premises need to be made to identify and estimate the required tasks and timing
for the project. Based on the current knowledge today, the project assumptions are listed below. If an
assumption is invalidated at a later date, then the activities and estimates in the project plan should be
adjusted accordingly.
Initial configuration and updates may cause a delay
Delays due to initial hardware/software upgrades
Assuming that we will be doing this when the company is down for implementation stage
Project Risks
Project risks are characteristics, circumstances, or features of the project environment that may have an
adverse effect on the project or the quality of its deliverables. Known risks identified with this project have
been included below. A plan will be put into place to minimize or eliminate the impact of each risk to the
project. The specifics of each risk area are outlined in the Risk Management Plan.
Risk Area
Level
(H/M/L)
Risk Plan
1. Communications Breakdown M Make sure everyone knows and understands
their duties.
2. Over Budget of project L Stay cost efficient for the project
3. Hacked H Secure networks and firewalls
4. Employee turnover (Project Member) M Have confidence in yourself and other members
in your project.
5. Parts on Back order M Inform client, Review timelines, Change
documentation
6. Employees getting sick L Reshuffle work schedule with employees to
complete the task.
7. Natural Disaster M Evaluate the situation / Brainstorm a solution
Project Constraints
The project manager should be aware of constraints because they refer to limitations that the project must
execute within.
Budget
Date Deadlines
Server Room Access
Hardware/Software Limitations
Time
9. 9
Project Dependencies
Project Date Due Deliverable Dependency
Budget 2/1/15 Approval for Budget from Nature’s Best
Company Owner(s)
Meet Project Deadline 3/4/15 Meet Deadline to ensure company
needs are met.
Project Approach
Initiation
Planning
Installation
Implement Hardware
Implement Software
Testing Hardware/Software
Finalize
Go Live
Project Organization
An appropriate project organization structure is essential to achieve success. The following list depicts the
proposed organization:
Project Sponsor: Mr. Hale
Project Manager: Joseph C. Douglas (Financial Advisor)
Project Member: Charles Spencer (IT Technician, Technical Advisor)
Project Member: Randolph Gallegos (Head IT Technician, Technical Writer)
Project Member: N/A
Communication Plan:
Have meetings on project progress once a week
Progress meetings outside of class,LRC optional meeting location
Communicate via email, in-class, phone
Share files via flash drives
Team Contact Information
Joseph C Douglas jd@gmail.com
Randolph Gallegos Randy@gmail.com
Charles Spencer Spencer@gmail.com
10. 10
Project Guidelines:
Complete all tasks with Quality
Complete all task on time
Communication on all levels
Project Approval
______________________________________ ___________________
Project Sponsor — [insert name] Date
______________________________________ ___________________
Project Manager – [insert name] Date
______________________________________ ___________________
Project Member — [insert name] Date
______________________________________ ___________________
Project Member — [insert name] Date
______________________________________ ___________________
Project Member — [insert name] Date
______________________________________ ___________________
Project Member — [insert name] Date
12. 12
Table of Contents
Purpose and Scope 2
Risk Plan Objectives 2
Deliverables Produced 2
Deliverables 1 2
Deliverables 2 2
Deliverables 3 2
Project Risks 3
Risk 1 3
Risk 2 3
Risk 3 3
Disaster Recovery Plan 3
Types of Teams 3
In Event of a Disaster 3
Recovery Scenarios 3
Recovery Activities 3
13. 13
Purpose and Scope
The purpose of this is to address multiple areas of concern from the User Domain and
the Work Station Domain to Disaster Recovery. To identify the risks we look at the User Domain.
The risks here are a User opens an email with a virus and it affects the system or maybe he tries
to mess with certain areas of the network where he has no knowledge. To mitigate and prevent
this employee’s should only be able to open work related emails from a work email, meaning no
personal email access.
Risk Plan Objectives
Objective 1: Describe what Unisys Stealth can do for the company
Objective 2: Show our concern with risks to your systemand Mitigate or Prevent
Objective 3: Give a sound Disaster Recovery Plan for the Company
Deliverables Produced
Deliverables 1: For the security side, I would like to introduce Unisys Stealth. This is a company
and a program that when active it hides your network from any and all outside access. It also
has a Disaster Recovery option where all your information is stored in a cloud like server and in
the event of a Disaster that causes or destroys any of your building, you can quickly set up that
buildings information in a new area anywhere you need to or are able to
Deliverables 2: Mitigation or Prevention of all most all risks to the User and Work station
Domains.
Deliverables 3: A sound Disaster Recovery Plan and The ability to relocate when needed
14. 14
Project Risks
Risk 1: Risks to the User Domain can cause problems with the network and/or allow hackers to
get into your systems and cause damage or steal information. A user opens an email from yahoo
or Gmail and that email has a virus attach to it. An out of date virus scanner may not detect
threat and it infects your system. I offer Unisys Stealth and Bit defender. Unisys protects your
system from outside threats and creates a sound disaster recovery plan and Bit defender will
scan all outside and inside emails for virus and erase them before infection
Risk 2: Work Station Domain’s software has to remain up to date at all times. In today’s world
only an up to date virus scanner can detect virus and prevent them from getting into your
system. Bit Defender is a good prevention tool to use for your work stations and will stop if not
prevent access of worms or virus’s
Risk 3: Disaster Recovery will help the company when something unexpected happens and no
time was given. Unisys Stealth steps in and helps with the recovery by giving you the ability to
relocate your building anywhere that’s safe or even further.
Disaster Recovery Plan
Types of Teams: IT Admin and Unisys Stealth Hardware
In Event of a Disaster: IT Admin from another area will log into the Unisys information
and within that day have relocated the company buildings information into a new area
Recovery Scenarios:
Minor Damage Scenario – In case of minor damage, such as fired cables or damage to
hardware
Action Plan – Replace Damage component
Major Damage Scenario – For Major damage such as fire to the server room or a breach
in the system
Action Plan – Unisys Covers any major damage scenario with back up to the cloud and
the ability relocate that information to anywhere else within that day, this type is
covered
Recovery Activities: IT Admin logs into the Unisys Stealth and recovers the information and
relocates it to where ever else they may need
16. 16
Purpose and Scope
The purpose of the plan is to set forth a coordinated approach to addressing the quality
assessment and process improvement within the project scopes and goals for Nature’s Best New
Network Infrastructure. The scope is to ensure quality Hardware & Software along with testing of
proper implementation of the product.
Quality Plan Objectives
All hardware and software will adhere to laws, regulations and codes.
Monitoring the quality work of the project.
Staying committed to the Quality Assurance of the project.
Develop an effective plan and processes, including quality assurance and quality control
procedures, to achieve objectives.
Deliverables Produced
To implement at each retail store One file/print server Two high-speed network
printers/copiers/scanners Fax machine Voice messaging with forwarding services Ten
workstations at each location Network devices that support the LAN and WAN
connection—router, firewall, switch and Cisco VoIP phone service.
The corporate headquarters will have an application server hosting banking software
installed to track all clients, demographics, accounts, and statement information A
separate server that hosts business management applications, such as accounting, HR, and
other asset-management tools A separate server that provides necessary network services,
such as Active Directory, DNS, and DHCP A Web server(s) for online ordering network
connection—router, firewall, switch Email service provided by an external provider and
accessible via email client software and/or Web access One file/print server. Three
network printers/copiers/scanners Cisco VoIP phone service.
Identify Metrics:
Define test and quality objectives for the project.
Monitor progress towards the goals that are set.
Will monitor time spent on fixing error and defects during user acceptance tests, defects
found in production after implementation.
17. 17
Test Checklist:
Perform independent technical review, management oversight, and verification to ensure
that quality objectives are met.
Check performance and Customer Quality Objectives performance measures thresholds to
verify that performance will accomplish Quality Objectives and to verify sufficiency of
the plan. Share findings with all project stakeholders to facilitate continuous
improvement.
Results:
Improved Network Capabilities.
Improved Network Infrastructure for High Speed/low bottleneck chances.
Overall Quality Assurance and Objectives met.
19. 19
Purpose
The purpose of the change management plan is to communicate any changes that need to
occur during the entire project. This plan will show how Network Guardians will ensure for a
seamless and beneficial change.
The Goals of Network Guardians plan is:
1. The project is changed to fit the scope of the project.
2. To make sure that changes are followed approved, documented and implemented.
3. To ensure the change is necessary and reasonable.
4. Changes are communicated to all parties.
Responsibilities for the change management plan:
1. Network Guardians is responsible to generate the change management plan.
2. The change management plan will be implemented into the project plan.
3. Make sure that there is enough founding for the change and obtain approval to
implement the change.
4. Network Guardians is responsible for the completion of the change management
plan in the time estimated.
5. The change management plans will be approved by Nature’s best and
communication of the implementation of the plan.
20. 20
Change management Frame
The project manager Joseph Douglas will have the responsibility of allocating the
execution of the change management plan. Joseph will also be the one who is in charge of the
communication of the plan and will be in charge of making sure the change management plan
will stay on course as according to the scope of the project. These steps will take place in order to
complete the task:
1. Recognize the change needed to be made and log the request for change.
2. Assess the change, inspect the change to the project plan, and allocate the work
needed to be done and the estimated time of the change to the project plan.
3. Ascertain the risk of the change and how the impact is going to change the project
plan.
4. Collect the change approval from Nature’s best. This will consist of possibly
negotiations of the plan in parts, scheduling and communicate all changes to all
parties.
5. Implement the change into the project plan. Will stay on site throughout the
project to make sure that the team stay’s within the scope of the new changed
plan.
21. 21
Change Management Scope
The scope to the change management will be followed to manage the project scope. The
details of change management, allocates responsibilities and will tell the team what needs to be
done, tools possibly needed, equipment possibly needed, and the documentation of all parts to the
change including the schedule. In short, the processes for this change management scope are:
1. Communicate with stakeholders about changes needed and document the wants
needs and constraints of the stakeholders.
2. Change the needs into high-priority requirements to equipment; make sure that the
new high-priority requirements to gain a better network.
3. Check with stakeholders when the change has been identified.
4. Verify the change is the change has been made and communicate that with the
stakeholders throughout the different parts of the project. Make sure that the end
product matches the scope of the plan and meets up to code.
5. Follow the process of the change management plan to manage modification’s and
additions to the plan, will stay on schedule
22. 22
Schedule Change Plan
In the documentation of the change management plan, the changes that need to be made
to the plan that might change plan’s schedule will be specified.
Cost management of the change plan
The cost for the change management plan will be specified in the documentation of the
plan. The change cost will be specified, and what conditions need to be made will also be
specified. If the projected cost of the change doesn’t meet the needs for the project plan
negotiations will be documented.
24. 24
1.0 Nature’s Best Project
1.1 Initiation
1.2 Recommendations
1.3 Develop Charter
1.4 Submit Charter
1.5 Sponsor Reviews Charter
1.6 Charter Signed/Approved
2.0 Planning
2.1 Create Scope Statement
2.2 Determine Project Team
2.3 Team Plan Meeting
2.4 Implement Project Plan
2.5 Submit Project Plan
2.6 Project Plan Approval
3.0 Installation
3.1 Installation Planning
3.2 Installation Development System
3.3 Installation of live system
3.4 Test all installation
4.0 Hardware
4.1 Hardware Requirements
4.2 Hardware Testing
4.3 Validate User Requirements
4.4 User Training
5.0 Software
5.1 Software Requirements
5.2 Software Testing
5.3 User Training
6.0 Project Management
6.1 Planning
6.2 Budget
6.3 Meetings
6.4 Risk Management
6.5 Update Project Management Plan
7.0 Finalize
7.1 Update files/Records
7.2 Document Lessons learned
7.3 Audit Procurement
25. 25
7.4 Gain Formal Acceptance
Dictionary
Level WBS Code WBS Code Definitions
1 1.0 Nature’s Best
Project
Plan and Design a Network Foundation for Nature’s
Best Headquarters.
2 1.1 Initiation The work to Initiate the Project.
3 1.2 Recommendations Working Group to make a solution and
Recommendations for the project.
3 1.3 Develop Charter Project Manager Implements a Project Charter.
3 1.4 Submit Charter Project charter is given to the sponsor.
3 1.5 Sponsor Reviews
Charter
Project Sponsor Evaluates the charter.
3 1.6 Charter signed &
approved
Project Sponsor signs the charter to forward
authorization for the planning process.
2 2.0 Planning The work for the planning process of the project.
3 2.1 Create Scope
Statement
Project Manager to create a scope statement.
3 2.2 Determine Project
Team
Project Manager Determines the team and
resources needed for the project.
3 2.3 Team Plan
Meeting
Meeting for the Project plan with members working
on the project.
3 2.4 Implement Project
Plan
Project Manager directs and team develops the
project plan.
3 2.5 Submit Project
Plan
Project plan gets submitted for approval by the
Project Manager.
3 2.6 Project Plan
Approval
Plan is approved and Project Manager can proceed
to implement the project plan.
2 3.0 Installation Installation for Modern IT Hardware and Software
3 3.1 Installation
Planning
Plan start date and end date of installation
3 3.2 Installation
Development
System
Installation of development system for testing and
customizing of user interfaces.
3 3.3 Installation of Live
System
Actual systemis installed and configured
3 3.4 Test all
Installation
Tests done to ensure proper functions of
installation
2 4.0 Hardware Computer, Printers, cabling, phones, computer
hardware for project.
26. 26
3 4.1 Hardware
Requirements
Required hardware for project according to budget
and topology used.
3 4.2 Hardware Testing Tests done for quality of installation.
3 4.3 Validate User
Requirements
Original user requirements are reviewed and
validated with the users.
3 4.4 Users Training All users will receive training class on new
hardware.
2 5.0 Software Programs and applications for the computers,
workstations etc.
3 5.1 Software
Requirements
Required software for project according to budget
and topology used.
3 5.2 Software Testing Test done for quality of installation.
3 5.3 User Training All users will receive training on new software.
2 6.0 Project
Management
Overall Management of the project.
3 6.1 Planning Overall Plan to implement the project.
3 6.2 Budget Maintain a cost efficient budget for the bid.
3 6.3 Meetings Manager and project members group to discuss
project issues and goals for success.
3 6.4 Risk Management Risk management efforts to avoid any unacceptable
risks or failures.
3 6.5 Update Project
Management
Updates on the project as it progress.
2 7.0 Finalize The work to finish the project.
3 7.1 Update files &
Records
Files and records are update to reflect the Nature’s
best network infrastructure and design.
3 7.2 Document
Lessons learned
Manager and project members document lesson
learned for throughout the project.
3 7.3 Audit
Procurement
Audit for all hardware and software procured for
the project, to be sure that all procured products is
accounted for in the project.
3 7.4 Gain Formal
Acceptance
Project Sponsor accepts and signs the acceptance
document included in the project plan.
27. 27
Nature’s Best Project
1.0
Initiation
1.1
Planning
2.0
Installation
3.0
Finalize
7.0
Project
Management
6.0
Software
5.0
Hardware
4.0
Hardware
Requirements
4.1
Recommendations
1.2
Develop Charter
1.3
Submit Charter
1.4
Sponsor Reviews
Charter
1.5
Charter signed/
approved
1.6
Nam
e
Title
Create Scope
Statement
2.1
Determine Project
Team
2.2
Team Plan
Meeting
2.3
Implement Project
Plan
2.4
Submit Project
Plan
2.5
Project Plan
Approval
2.6
Installation
Planning
3.1
Installation
Development
System
3.2
Installation of live
System
3.3
Test all Installation
3.4
Hardware Testing
4.2
Validate User
Requirements
4.3
User Training
4.4
Software
Requirements
5.1
Software Testing
5.2
User Training
5.3
Planning
6.1
Budget
6.2
Meetings
6.3
Risk Management
6.4
Update Project
Management Plan
6.5
Update files/
Records
7.1
Document
Lessons Learned
7.2
Audit Procurement
7.3
Gain Formal
Acceptance
7.4
29. 29
VPNConnectionVPNConnection
Headquarters/NTB.COM
Domain
Domain
OUITDept. OU/HRDept. OU/Accounting.Payroll
User User
User
Computer Computer
Computer
LABranch/LANTB.COM
Domain
Group Group
Group
Group
NYBranch/NYNTB.COM
Domain
Policy Policy Policy
SeattleBranchStore/SNTB.COM
Domain
Contact Contact
Contact
Authentication
Server
CertificateTemplate
User Computer
User Computer
User
Computer
OrlandoBranchStore/ONTB.COM
Domain
User
Computer
Domain
Sitelinkbridge
File/Print
Server
File/Print
Server
File/Print
Server
File/Print
Server
OU/Employeeusers
OU/Employeeusers
OU/EmployeeUsers
OU/EmployeeUsers
OU/CallCenter
OrganizationalUnit
User
Computer
Group
Nature’sBestActive
Directory
Policy
DNS/DHCP
Server
Web/Application
Server
File/Print
Server
Printer/Copier
Scanner
Printer/Copier
Scanner
Printer/Copier
Scanner
Printer/Copier
Scanner
Pritner/Copier/Scanner
Printer/Copier/Scanner
Printer/Copier/Scanner
Printer/Copier/Scanner
Print/Copier/Scanner
Print/Copier/Scanner
Print/Copier/Scanner
Databaseserver
30. 30
VPN ConnectionVPN Connection
Headquarters/NTB.COM
Domain
Domain
OU IT Dept. OU/HR Dept. OU/Accounting.Payroll
User User
User
Computer Computer
Computer
LA Branch/LANTB.COM
Domain
Group Group
Group
Group
NY Branch/NYNTB.COM
Domain
Policy Policy Policy
Seattle Branch Store/SNTB.COM
Domain
Contact Contact
Contact
Authentication
Server
Certificate Template
User Computer
User Computer
User
Computer
Orlando Branch Store/ONTB.COM
Domain
User
Computer
Domain
Site link bridge
File/Print
Server
File/Print
Server
File/Print
Server
File/Print
Server
OU/Employee users
OU/Employee users
OU/Employee Users
OU/Employee Users
OU/Call Center
Organizational Unit
User
Computer
Group
Nature’s Best Active
Directory
Policy
DNS/DHCP
Server
Web/Application
Server
File/Print
Server
Printer/Copier
Scanner
Printer/Copier
Scanner
Printer/Copier
Scanner
Printer/Copier
Scanner
Pritner/Copier/Scanner
Printer/Copier/Scanner
Printer/Copier/Scanner
Printer/Copier/Scanner
Print/Copier/Scanner
Print/Copier/Scanner
Print/Copier/Scanner
Database server
By Charles Spencer
31. 31
Task Name Duration Start Finish Predecessors Resource Names
Project START 56 days? Wed 12/10/14 Wed 2/25/15
WEEK 1 6 days Wed 12/10/14 Wed 12/17/14
Team Meeting 1 day Wed 12/10/14 Wed 12/10/14
Joseph
Douglas,Ernest
Dalusong,Charles
Spencer,Randolph
Gallegos
Logo 1 day Wed 1/7/15 Wed 1/7/15 Randolph Gallegos
Team Roles 1 day Wed 12/10/14 Wed 12/10/14
Ernest
Dalusong,Joseph
Douglas,Charles
Spencer,Randolph
Gallegos
Analyze Protect 5 days Wed 12/10/14 Tue 12/16/14
Ernest
Dalusong,Charles
Spencer,Joseph
Douglas,Randolph
Gallegos
Assign Tasks 5 days Wed 12/10/14 Tue 12/16/14
Research 5 days? Wed 12/10/14 Tue 12/16/14
Ernest
Dalusong,Charles
Spencer,Joseph
Douglas,Randolph
Gallegos
In/Out Scope 0.25 days Wed 12/17/14 Wed 12/17/14
Equipment Removal 0.25 days Wed 12/17/14 Wed 12/17/14
Charles
Spencer,Ernest
Dalusong,Joseph
Douglas,Randolph
Gallegos
New Conveyer 0.25 days Wed 12/17/14 Wed 12/17/14
Charles
Spencer,Ernest
Dalusong,Joseph
Douglas,Randolph
Gallegos
WEEK 2 6 days Wed 12/17/14 Wed 12/24/14
Netw orkTopology
Discussion
3 days Wed 12/17/14 Fri 12/19/14
Joseph
Douglas,Ernest
Dalusong
Project Charter Develirables 3 days Wed 12/17/14 Fri 12/19/14 Joseph Douglas
Cost Analysis- Hardware 3 days Wed 12/17/14 Fri 12/19/14 Randolph Gallegos
Cost Analysis- Software 3 days Wed 12/17/14 Fri 12/19/14 Ernest Dalusong
Unysis Stealth Security 3 days Wed 12/17/14 Fri 12/19/14 Charles Spencer
Design Phase 3 days Wed 12/17/14 Fri 12/19/14
Retail Outlets 3 days Wed 12/17/14 Fri 12/19/14
BackHauling Freight 3 days Wed 12/17/14 Fri 12/19/14
Handheld Scanners 3 days Wed 12/17/14 Fri 12/19/14
32. 32
WEEK 3 6 days Wed 1/7/15 Wed 1/14/15
Journal 1 day Wed 1/7/15 Wed 1/7/15
Ernest
Dalusong,Charles
Spencer,Joseph
Douglas,Randolph
Gallegos
WBS and WBS Dictionary 1 day? Wed 1/7/15 Wed 1/7/15 JosephDouglas
Project Management Plan 1 day? Wed 1/7/15 Wed 1/7/15
Design a Product Charter 1 day? Wed 1/7/15 Wed 1/7/15
Identify Scope 1 day? Wed 1/7/15 Wed 1/7/15
Preliminary Schedule 1 day? Wed 1/7/15 Wed 1/7/15 Ernest Dalusong
WEEK 4 5 days Wed 1/14/15 Tue 1/20/15
Team Journal 1 day? Wed 1/14/15 Wed 1/14/15
Journal 1 day? Wed 1/14/15 Wed 1/14/15
Hardw are / Software
Documentation
1 day Wed 1/14/15 Wed 1/14/15
Budget 1 day? Wed 1/14/15 Wed 1/14/15
Research on Retail,
Warehouse, Transportation
problems
1 day? Wed 1/14/15 Wed 1/14/15
WEEK 5 6 days Wed 1/21/15 Wed 1/28/15
Team Journal 1 day Wed 1/21/15 Wed 1/21/15
Journal 1 day Wed 1/21/15 Wed 1/21/15
Change Management Plan 1 day Wed 1/21/15 Wed 1/21/15
Quality Plan 1 day Wed 1/21/15 Wed 1/21/15
WEEK 6 6 days Wed 1/28/15 Wed 2/4/15 29
Team Journal 1 day? Wed 1/28/15 Wed 1/28/15
Journal 1 day? Wed 1/28/15 Wed 1/28/15
50% Pow er Point 5 days? Wed 1/28/15 Tue 2/3/15
Netw orkInfrastucture
Configuration Draft
5 days? Wed 1/28/15 Tue 2/3/15
Active Directory Draft 5 days? Wed 1/28/15 Tue 2/3/15
Risk Management Plan 5 days? Wed 1/28/15 Tue 2/3/15
Netw orkSchematic Draft 5 days? Wed 1/28/15 Tue 2/3/15
Server Configuration Draft 5 days? Wed 1/28/15 Tue 2/3/15
WEEK 7 5 days? Wed 2/4/15 Tue 2/10/15 35
Team Journal 5 days? Wed 2/4/15 Tue 2/17/15
Journal 5 days? Wed 2/4/15 Tue 2/17/15
Researchs on Firew alls 5 days? Wed 2/4/15 Tue 2/10/15
Week 8 5 days? Wed 2/11/15 Tue 2/17/15 49
Team Journal 5 days? Wed 2/11/15 Tue 2/17/15
Journal 1 day? Wed 2/11/15 Wed 2/11/15
Client Configuration Draft 1 day? Wed 2/11/15 Wed 2/11/15
Week 9 1 day? Wed 2/18/15 Wed 2/18/15
Team Journal 1 day? Wed 2/18/15 Wed 2/18/15
Journal 1 day? Wed 2/18/15 Wed 2/18/15
Week 10 1 day? Wed 2/25/15 Wed 2/25/15
Team Journal 1 day? Wed 2/25/15 Wed 2/25/15
Journal 1 day? Wed 2/25/15 Wed 2/25/15
Server Configuration Final 1 day? Wed 2/25/15 Wed 2/25/15
Client Configuration Final 1 day? Wed 2/25/15 Wed 2/25/15
95% Presentation 1 day? Wed 2/25/15 Wed 2/25/15
Netw orkInfrastructure
Configuration Final
1 day? Wed 2/25/15 Wed 2/25/15
Active Directory Final 1 day? Wed 2/25/15 Wed 2/25/15
Implementation Demo 1 day? Wed 2/25/15 Wed 2/25/15
Netw orkSchematic Final 1 day? Wed 2/25/15 Wed 2/25/15
42. 42
INTERNET
Nfina 328i4
File/Print
Server
Cisco ASR-1002
Router
Cisco SG200-26P
SwitchFirewall
HP LaserJet
Printer/copier/scanner
10x HP Z230 Workstation
PC/ Retail Stores
10x Aastra 67531
VoIP Phone
PBX
Nature’s Best
Headquarters
Touch Screen
Cash Register
Touch Screen
Cash Register
HP LaserJet
Printer/copier/scanner
Class B
IP Range 172.16.0.1-
172.16.0.30/27
Subnet Mask
255.255.255.224
Broadcast Address
172.16.0.31
Subnet ID 172.16.0.0
Retail Store’s
Network
Schematic
Vlan Switch
43. 43
LA Branch Class B Address
Subnet: 172.16.0.0
IP: 172.16.0.1
Subnet Mask: 255.255.255.224/27
IP Range: 1-30
NY Branch Class B Address
Subnet: 172.16.1.0
IP: 172.16.1.1
Subnet Mask: 255.255.255.224/27
IP Range: 1-30
Seattle Branch Class B Address
Subnet: 172.16.2.0
IP: 172.16.2.1
Subnet Mask: 255.255.255.224/27
IP Range: 1-30
Orlando Branch Class B Address
Subnet: 172.16.3.0
IP: 172.16.3.1
Subnet Mask: 255.255.255.224/27
IP Range: 1-30
45. 45
INTERNET
Tripplite B096-16 CONSOLE
Server Management Switch
Email/Web
Server
File/Print
Server
Application/Database
Server DNS/DHCP/Directory
Server
Barracuda 840 Load Balancer
ADC
HP LaserJet Enterprise
Printer/copier/scanner
HP LaserJet Enterprise
Printer/copier/scanner
HP LaserJet Enterprise
Printer/copier/scanner
Firewall
Cisco ASR 1002
Router
Aastra 67531
VoIP Phone
Corporate
Headquarters
Network
Schematic
LA,NY,Sea,Orl
Branch’s
HP Z230
Workstations
PBX
Class C
IP Range
192.168.0.1-
192.168.0.254/24
Subnet Mask
255.255.255.0
Broadcast Address
192.168.0.255
Subnet ID
192.168.0.0
Vlan Switch
47. 47
Purpose:
The purpose of these policies is to provide an up to date
corporate security plan for the User and Workstation Domains
at all of Nature’s best branch offices.
Scope:
This policy will apply to all Nature’s Best employees who have
access to their Workstations and User Domain. It will ensure
confidentiality, integrity and availability of sensitive
information, including protected and personal information is
restricted to authorized users only.
48. 48
Common Vulnerabilities
o Lack of awareness or concern for security policy
o Intentional malicious activity
o Violation of security policy
o Unauthorized user access
o Weakness in installed software
o Malicious software introduced
o Social engineering
Threat Targets of the User and Workstation Domains
o PC’S
o Smartphones
o Personal Digital Assistants (PDAs)
o Application Software (productivity, Web browsing)
o Administrative workstations
o Servers, network and operating-system software
o Departmental workstations
49. 49
User Domain & Workstation Policy
o Implement an acceptable security policy.
o Apply awareness training on the policies.
o Establish unique logon credentials for users that require a strong
password.
o Grant only user privileges to that users required tasks.
o Enable password protection for workstations
o Conduct a second-level test to verify a user’s access.
o Automatic antivirus scans for inserted CDs, DVDs, and USB
drives that have files at all workstations.
o Content filtering and scanning for virus at internet entry and exit
points.
o Have workstation domain vulnerability tests to find gaps
50. 50
Continued….
o Minimize write/delete permissions to the data owner only.
o Disable internal CD drives and USB ports.
o Enable automatic antivirus scans for media drives, files and e-
mail attachments.
o Enable content filtering for antivirus scanning of email
attachments.
o Track and monitor abnormal employee behavior.
o Updates on application software and security patches.
o Antivirus and malicious scans that update workstations with
proper protection.
o Enable workstations auto-scans for all new files and automatic
file quarantine for unknown files.
51. 51
VoIP & SIP Security policy and administration.
o Before dial tone users must prove their identity.
o Only minimum functions and features will be used on all IP
phones with specific phone extensions.
o PIN numbers or Password will be required before granting dial
tone of IP phones.
o Long distances calls will require a valid code or permission from
It Management.
o Encryption (VPN,SSH,HTTPS etc.) will be used for remote
access and management to call servers and VoIP
o Call- Detail recordings for periodic auditing of users extensions,
inbound or outbound dialing, and toll calls.
52. 52
Miscellaneous
o All N.B.-owned workstations, whether on the N.B.
domain or not, must have a centrally-managed N.B.
administrative group required for the Information
Security Function.
o Wireless connections are only to be used on approved
portable devices if wireless access is used on a mobile
device, then the device must connect to an approved
wireless access point.
o The use of insecure protocols such as FTP and Telnet
are prohibited
o All server rooms, electrical closets, and locations
where any network equipment such as routers,
switches, firewalls or servers are housed will be
secured and locked at all times.
o All workstations should have an established,
documented, and consistently-used backup plan.
53. 53
Enforcement of Policy
Any employee found to have violated this policy may
be subject to disciplinary action, up to and including
termination of employment.
55. 55
Server Security Policy
1.0 Premise: Every server administrator must take reasonable security measures to secure their
hosts as outlined by this policy. Computer security is not something that is done once a year, once
a month, or even once a day. It is the frame of mind that there are real threats and that part of the
job includes keeping users, data and transactions safe from these threats.
2.0 Purpose: This policy is for all computer system administrators managing a computer server
connected to a network. The following policies define common sense security practices expected
of all computer server administrators and users.
3.0 Scope: This policy addresses any server connected to a network providing any type of service
to other users.
4.0 Ownership and responsibilities: A server administrator, upon connecting their server to a
network, is responsible for the security of that device in accordance with IT guidelines.
Note: An administrator is held accountable when a compromise occurs. It is also expected that
the administrator will demonstrate reasonable precautions to ensure the security of their hosts.
5.0 Server Policy: As follows.
56. 56
5.1 Location: Servers should be placed in physically secured areas accessible only to authorized
personnel. There is no substitute for physical security. Each Server room will be located next to
each lab and contains the IT essentials for each lab including, servers, racks, cabling and cabinets.
Server rooms should have limited access
• The door will be equipped with a key card system and qualified personnel will have to
swipe their card to enter
• If you card is lost/stolen please call our IT support immediately and they will deactivate
your card
• A new card will be overnighted to you immediately
• If you need the uses of a card today, IT director will have a spare key card on hand for
emergencies
5.2 Services Supported: Administrators should run only services on a server that are needed for
it to complete its designed task. Every service running should be regarded as a mode of entry.
The number of entry points should be limited to only those needed.
Note: The chance that a computer will be compromised is increased with the number of services
being run. Therefore, it is expected that every administrator knows exactly what and why services
are running.
5.3 Security Updates: The latest system patches should be applied regularly.
Note: Security related patches for systems often mean that there has been a successful exploit of
a particular vulnerability. The vulnerability of a system is directly proportional to the age of the
patches. The longer one waits before applying a patch, the more likely it is that it will be
successfully exploited. It is not uncommon to have a three-month-old vulnerability incorporated
into an automated tool that thousands of hackers use. Patching a system is something that should
be done on a regular schedule and immediately if a threat has been reported. At some point, if
patches are not applied in a timely manner, the server could be disconnected from the network
until vulnerabilities have been addressed.
57. 57
5.4 Virus Protection: It is expected that administrators regularly scan all servers with updated
virus detection software.
5.5 Log-on Limits: Administrators should limit log-on retries.
Note: Password guessing applications have a greater probability of cracking a password if given
ample opportunity. For most situations, Information Technology Services recommends account
lockout after three failed log-on attempts.
5.6 Account Reviews: Accounts must be regularly reviewed for inactivity, and any dormant
accounts disabled.
Note: Old accounts should be terminated regularly. When students, faculty, and VIP personnel
leave the school, administrators should have a clear deadline for account termination. Dormant
(unused for more than 60 days) accounts make attractive targets to intruders, since no one will
likely notice the activity.
5.7 Local Accounts: Whenever possible, accounts should be located on and authenticated against
a Kerberos, NTLM, LDAP or Active Directory based infrastructure. Administrators should only
use local accounts when absolutely necessary.
Note: In most cases, local accounts are not scrutinized as closely as directory based accounts and
thus more susceptible to attack by automated tools.
5.8 Privileged Accounts: Special care should be taken with privileged accounts (including but
not limited to "root" for UNIX and "administrator" for NT), commensurate with the privileges
afforded the account. Passwords for privileged accounts should be given only to people with a
need for privileged access. For NT Servers, the "administrator" account should be renamed.
58. 58
Note: Failing to change the name of the account gives would-be intruders half the equation to
compromising the server. All privileged server accounts should be password protected.
5.9 Password Protection: All accounts must conform to the Password Policy.
5.10 Service Banners: Wherever feasible, a log-on banner, stating that the system is for
authorized use only, should be displayed for anyone attempting to connect to the system.
Note: If possible, log-on restrictions (by time of day, by system address, etc.) should be
implemented. All operating system, version/release numbers, and vendor information provided in
log-on/sign-on banners should be limited or disabled. Providing this information makes attacks
easier by allowing intruders to pinpoint hosts with known security vulnerabilities.
5.11 Backups: Information Technology Services encourages server administrators to maintain
backups on all servers for 30 days.
Note: In the event of a security breach backups are important to track down when changes
occurred and which files were modified. Backups are also important to restore a server to its
configuration before the intrusion occurred (i.e. no code is present which was inserted during the
intrusion).
5.12 Server Logs: Logs of user activity must be retained for a period of time.
Note: IT recommends that these logs be kept for at least six months. Logs should include (where
feasible) the time and date of activities, the user ID, commands (and command arguments)
executed, ID of either the local terminal or remote computer initiating the connection, associated
system job or process number, and error conditions (failed/rejected attempts, failures in
consistency checks, etc.). Logs should be checked for signs of malicious activity on a regular
daily or weekly basis. Knowledge that logs are kept, acts as a deterrent to abuse. Logs are also
essential in investigating incidents after the fact. Many attempted break-ins can be detected early,
and sometimes prevented by early detection of unusual activity.
59. 59
5.13 Sensitive Information: Nature’s Best of Information Technology Services must be made
aware of any server that contains sensitive data. This includes but is not limited to social security
number, credit card numbers, grades and other personal data.
Note: Extra precaution must be taken with systems containing sensitive data.
5.14 Remote Administration: In order for a vendor or consultant to gain access to a server from
off campus, they must be assigned a VPN account. The system administrator is responsible for
registering the vendor or consultant before the VPN can be assigned. In addition, that vendor or
consultant may be required to sign a non-disclosure agreement before gaining access to a server.
Note: Many servers require administration by outside vendors or consultants. In these cases, it is
preferred that this outside access be obtained by using a VPN account. The account allows for
secure remote access to the server. In the case on Windows servers, Terminal services should be
used through the VPN connection to administer the server. UNIX, Linux or Mac servers should
use SSH.
6.0 Incident Response: AS Follows.
6.1 Response Procedure: A server administrator must read and understand the Natures Best
Incident Response Policy.
1. The server will be analyzed by Information Technology Services and the server
administrator to attempt to determine the method by which the server was compromised.
2. If it has been determined that the server was compromised then the server's system
volume will be reformatted. The operating system will be reinstalled with the latest
security patches.
3. The server must pass a security scan before being reconnected to the network.
6.2 Incident Confidentiality: Information regarding security incidents will be kept confidential
by all parties involved. Only authorized personnel may disclose such information.
7.0 Compliance: Natures Best Information of Technology Services reserves the right to scan
systems for known vulnerabilities. When vulnerabilities are discovered, it is expected that
administrators will immediately act to close all known security vulnerabilities for which there are
60. 60
reasonable methods to close such vulnerabilities. If the administrator is unable to do this in a
timely fashion, it is expected that they will remove the server from the network to protect other
systems.
8.0 Enforcement: All servers should be registered with Natures Best Information of Technology
Services.
Note: All server administrators must notify Nature’s Best Information of Technology Services of
servers running in their department. This registration will require names and phone numbers of
people to call in emergency situations including contact information during class breaks. When
security related issues arise and this information is not available, there may be no choice other
than to disconnect a server without notice. Natures Best Information of Technology Services
must be notified upon discovery of any system breach or suspected system breach. Natures Best
Information of Technology Services reserves the right to disconnect any server which poses a
threat to a school network. Any server not following the above procedures will be considered
unsafe, and as such poses a threat to the Company’s network and other systems.
62. 62
This document delineates the policies and procedures for an Information Technology
Disaster Recovery Plan (referred to as “IT Disaster Recovery Plan”), as well as our process-level
plans for recovering critical technology platforms and the telecommunications infrastructure.
This document summarizes our recommended procedures. In the event of an actual emergency
situation, modifications to this document may be made to ensure physical safety of people,
systems, and data.
Our mission is to ensure information system operation, data integrity and availability, and
business continuity. All IT disaster recovery-planning procedures and recovery solutions should
be consistent with and support Local and State security policies. IT Disaster Recovery solutions
should offer the same level of security as the normal operating procedure so that sensitive data is
not compromised or disclosed.
Because IT resources are critical to Nature’s Best success, it is essential that the services
provided are able to operate effectively without excessive interruption. The IT Disaster Recovery
Planning Guidelines contained in this section support this requirement by establishing a proven
and structured approach to developing IT disaster recovery plans and procedures that enable a
system to be recovered quickly and effectively following a service disruption or disaster.
The purpose of a DRP is to document the recovery strategies and create a road map of
predetermined actions that will reduce required decision-making during a disaster and
systematically provide a documented recovery path. Although the likelihood of a catastrophic
disaster is remote, the devastation and potential loss of the ability to perform services requires
that advance planning occur in order to respond in an effective and responsible manner.
The recovery strategies developed should provide a means to restore IT components quickly and
effectively following a service disruption.
IT Disaster Recovery Plans must document backup procedures. Procedures should specify
backup frequency based on data criticality and the frequency that new data is introduced.
Backups should occur daily (at a minimum). Backup procedures should designate the location of
stored data, retrieval procedures, backup test procedures, file-naming conventions, media rotation
frequency, method for transporting data off-site, and a description of off-site storage facility.
63. 63
Once backup procedures are documented, they should be tested. This test should include
the successful restoration of data. This includes retrieval procedures to obtain off site data.
Testing backup procedures will identify missing files, missing applications, and faulty
procedures. Testing backup procedures also increases the likelihood of discovering procedural
inconsistencies before an emergency, rather than during one. Recovery strategies must consider
damage or destruction of IT systems or unavailability of the primary site. Necessary hardware
and software will need to be acquired and/or activated quickly at the alternate location.
Notification procedures that describe the methods to notify recovery personnel during
business and non-business hours should be developed and documented. These procedures should
also cover events with and without prior notification. Primary and alternate contacts must be
included along with procedures to be followed if an individual cannot be contacted. While this
section lists contacts by team position, an emergency contact list that identifies personnel by the
team position, name, and contact information (e.g., home, work, cell, pager numbers, e-mail
addresses, and home addresses) should be appended to the plan.
The type of information to be communicated to those being notified should also be documented
in the plan.
Recovery activities begin once the plan has been activated and recovery team(s)
mobilized. Recovery phase activities focus on disaster recovery measures to execute temporary
IT processing capabilities, repair damage to the system, and restore operational capabilities at the
original or new facility. Recovery procedures must be documented in sequential format with step-
by-step instructions to restore system components in a logical manner consistent with priorities
identified in the BIA. The procedures should also indicate who is responsible for taking each
action and document any coordination between activities. Because recovery procedures are likely
to change frequently, it is recommended that recovery procedures and supporting exhibits be
maintained as a separate document.
Training and awareness programs are essential to a successful IT disaster recovery program.
Personnel with recovery responsibilities should receive training at least annually. New personnel
with plan responsibilities should receive training as soon as possible after they are identified. The
goal of the training is to educate staff to the extent that they are able to execute their respective
64. 64
recovery procedures without aid of the actual DRP. The following elements should be covered in
the training program:
Purpose of plan
Cross-team coordination and communication requirements
Reporting procedures
Security requirements
Team and phase-specific processes (Notification/Activation, Recovery, and
Reconstitution)
Individual responsibilities in each phase
Plan testing is an essential element of a viable IT disaster recovery capability.
The first benefit of testing the DRP is that it provides an opportunity to train personnel to execute
the plan. Without practice, the key staff may have no idea what their roles are within the DRP.
Secondly, periodic testing is important because it validates the effectiveness of the backup and
recovery procedures. One of the key elements of a successful DRP is the ability of the recovery
team to locate a current copy of the core data to replicate. If the backup and recovery activities
used in the data center are not effective or fail to comply with the requirements of the BIA, a
DRP test will very quickly indicate this shortcoming.
65. 65
The third importance of testing is not that the test succeeds without problems, but that you review
the test results and problems encountered and use these results to update or revise the current
procedures and plans.
Many agencies do not have the resources to performing a full recovery with system
downtime. A total system test is ideal. If a total system test cannot be performed, individual
sections or sub-systems of the DRP may be tested separately in order to confirm the
recoverability of the plan as a whole.
Thorough testing should include the following:
System recovery on an alternate platform from backup media
Coordination among recovery teams
System performance using alternate equipment
Restoration of normal operations
Notification and activation procedures
Test results should be documented, reported to senior management, and kept on file. The IT
Disaster Recovery Plan is a living document and the maintenance of the plan should be included
in the general business plan. It must be updated regularly to remain viable based on the most
current system architecture or environment. Each IT Disaster Recovery Plan must document plan
maintenance procedures and responsibilities. This should include reassessment of the plan at least
annually and a process to update the plan to reflect changes in hardware, software, and personnel.
66. 66
Policy Statement
The Nature’s best comprehensive IT Disaster Recovery Plan shall be reviewed annually.
A risk assessment shall be undertaken periodically to determine the requirements for the
IT Disaster Recovery Plan.
The IT Disaster Recovery Plan should cover all essential and critical infrastructure
elements, systems and networks, in accordance with key educational activities.
The IT Disaster Recovery Plan should be periodically tested in a simulated environment
to ensure that it can be implemented in emergency situations and that the management
and staff understand how it is to be executed.
Staff must be made aware of the IT Disaster Recovery Plan and their own respective
roles.
The IT Disaster Recovery Plan is to be kept up to date to take into account changing
circumstances.
Objectives
The principal objective of the IT Disaster Recovery Plan program is to develop, test and
document a well- structured and easily understood plan which will help Nature’s best recover as
quickly and effectively as possible from an unforeseen disaster or emergency which interrupts
information systems and educational operations. Additional objectives include the following:
The need to ensure that employees fully understand their duties in implementing such a
plan.
The need to ensure that operational policies are adhered to within all planned activities.
The need to ensure that proposed contingency arrangements are cost-effective.
Disaster recovery capabilities are applicable to staff, vendors and others.
67. 67
Prevention
All attempts are made to prevent or limit the impact of a disaster on the information systems
of Nature’s best. Specifically, the following steps have been taken:
All servers are in a centralized and secured, locked location with access limited to
technology staff and selected buildings and grounds staff.
A separate independent cooling system is installed in the server room.
All servers are password protected, with only select administrator level user accounts
given authorization to log on.
Uninterrupted power supplies are installed on all servers and key network equipment.
RAID is used on mission critical servers.
Plan updating
It is necessary for the IT Disaster Recovery Plan updating process to be properly structured and
controlled. Whenever changes are made to the plan they are to be fully tested and appropriate
amendments should be made to the training materials. This will involve the use of formalized
change control procedures under the control of the Technology Department.
69. 69
CLIENT CONFIGURATION
For the Client configuration anybody with administration rights will have the opportunity
to change any configuration that they deem necessary.
For basic users, regular students that are using computer lab workstations, they
will need to have authentication first, they will be given the choice to make their
own password which must consist of at least 8 to 16 characters, using Caps and
mixture of special characters and numbers.
Their usernames will have part of their name and student I.D. number to verify
who they are upon logging on the computer lab work stations.
These passwords will have to be case sensitive and students will have to memorize
and not write don’t their password so no one can gain access to their computer lab
workstations.
Same will go for anybody in the Administration level, solely for security purposes.
71. 71
Test Plan
In setting up our network we have been tasked with devising the test plan to ensure the
functionality of the network. This plan documents the strategy in which we will verify and ensure
the network meets the client’s specifications.
Type of Testing
Compatibility Testing
Functional Testing
Stress/Load Testing
Performance/System Testing
Security Testing
Disaster Recovery Testing
User Acceptance Testing
Training Plan
Responsible to train the IT staff, and Administrators.
Making up the schedule for who is training who and how long it’s going to take
Assembling way for all the staff to get help after we leave the school.
73. 73
Backup Policy
1.0 Overview
This policy defines the backup policy for computers within the organization which are expected
to have their data backed up. These systems are typically servers but are not necessarily limited to
servers. Servers expected to be backed up include the file server, the mail server, and the web
server.
2.0 Purpose
This policy is designed to protect data in the organization to be sure it is not lost and can be
recovered in the event of an equipment failure, intentional destruction of data, or disaster.
3.0 Scope
This policy applies to all equipment and data owned and operated by the organization.
4.0 Definitions
1.Backup - The saving of files onto magnetic tape or other offline mass storage media for the
purpose of preventing loss of data in the event of equipment failure or destruction.
2. Archive - The saving of old or unused files onto magnetic tape or other offline mass storage
media for the purpose of releasing on-line storage room.
3. Restore - The process of bringing off line storage data back from the offline media and putting
it on an online storage system such as a file server.
5.0 Timing
Full backups are performed nightly on Monday, Tuesday, Wednesday, Thursday, and Friday. If
for maintenance reasons, backups are not performed on Friday, they shall be done on Saturday or
Sunday.
74. 74
6.0 Tape Storage
There shall be a separate or set of tapes for each backup day including Monday, Tuesday,
Wednesday, and Thursday. There shall be a separate or set of tapes for each Friday of the month
such as Friday1, Friday2, etc. Backups performed on Friday or weekends shall be kept for one
month and used again the next month on the applicable Friday. Backups performed Monday
through Thursday shall be kept for one week and used again the following appropriate day of the
week.
7.0 Tape Drive Cleaning
Tape drives shall be cleaned weekly and the cleaning tape shall be changed monthly.
8.0 Monthly Backups
Every month a monthly backup tape shall be made using the oldest backup tape or tape set from
the tape sets.
9.0 Age of tapes
The date each tape was put into service shall be recorded on the tape. Tapes that have been used
longer than six months shall be discarded and replaced with new tapes.
10.0 Responsibility
The IT department manager shall delegate a member of the IT department to perform regular
backups. The delegated person shall develop a procedure for testing backups and test the ability
to restore data from backups on a monthly basis.
11.0 Testing
The ability to restore data from backups shall be tested at least once per month.
12.0 Data Backed Up
Data to be backed up include the following information:
1. User data stored on the hard drive.
75. 75
2. System state data
3. The registry
Systems to be backed up include but are not limited to:
1. File server
2. Mail server
3 .Production web server
4. Production database server
5. Domain controllers
6. Test database server
7. Test web server
13.0 Archives
Archives are made at the end of every year in December. User account data associated with the
file and mail servers are archived one month after they have left the organization.
14.0 Restoration
Users that need files restored must submit a request to the help desk. Include information about
the file creation date, the name of the file, the last time it was changed, and the date and time it
was deleted or destroyed.
15.0 Tape Storage Locations
Offline tapes used for nightly backup shall be stored in an adjacent building in a fireproof safe.
Monthly tapes shall be stored across town in our other facility in a fireproof safe.
This policy may contain descriptions about how various systems and types of systems are backed
up such as Windows or UNIX systems.
77. 77
System Lockdown Policy
1.0 Overview
This system lockdown policy is an internal IT policy and defines a general process that should
be used to lock down servers and workstations.
2.0 Purpose
This policy is designed to minimize risk to organizational resources and data by establishing a
process for increasing the security of servers and workstations by stopping unneeded services
and testing for vulnerabilities.
3.0 Server Lockdown and Hardening
This section describes a general process used to lock down servers. When they are initially
installed and configured. Types of servers or equipment that need hardening include but are not
limited to file sharing servers, email servers, Web servers, FTP servers, DNS servers, DHCP
servers, Database servers, Domain controllers, Directory servers, Network devices such as
firewalls, routers, and switches.
1. List services that will be required to run on the server. Examples include:
1. DNS
2. HTTP
3. SMTP
4. POP3
2. List services that are running on the server and turn off any that the administrator is sure
are not needed.
3. Do a port scan on the server - Use a security tool to test and determine any ports that the
server is responding to.
4. Shut down any services that are not on the required list of services for the server.
Especially remember to shut down services listed in Appendix A - Services
Recommended for Shutdown
5. Remove any unnecessary programs, services, and drivers from the server especially those
not loaded by default on the server.
6. Patch the server with the latest patches and patch all services running on the server.
7. Disable or change the password of any default accounts on the server or related to any
operating services.
8. Be sure all passwords used to access the system or used by services on the system meet
minimum requirements including length and complexity parameters.
9. Be sure all users and services have minimum required rights and do not have rights to
items not needed.
10. Be sure file share and file permissions are as tight as possible.
11. Perform a vulnerability assessment scan of the server.
12. Patch or fix any vulnerabilities found.
13. Where appropriate, install and run additional security programs such as:
1. Anti-virus - Install and perform latest update of software and virus definitions.
2. Firewall
78. 78
3. Intrusion detection software - Some approved host based intrusion detection
software is recommended to be run on all servers.
4. Honeypot
5. Change of system and system files detection
All this software should have the latest updates installed.
14. Set security parameters on all software such as where anti-virus programs will scan, how
often it will scan, and how often it will get virus definition updates.
15. Enable audit logging to log any unauthorized access.
16. Perform another vulnerability assessment scan of the server, and fix any discrepancies.
17. Take additional account management security measures including:
1. Disable the guest account
2. Rename default administrator accounts
3. Set accounts for minimum possible access
4. Be sure all accounts have passwords meeting minimum complexity and length
rules.
18. Test the server to be sure all desired services are operating properly.
4.0 Enforcement
Since locking down servers is critical to the security of the organization and everyone, this
policy must be enforced by management through review and auditing.
Appendix A - Services Recommended for Shutdown
1. File and Printer Sharing for Microsoft Networks - Uninstallation of this service is
recommended. This service is not needed unless you want to share a printer on your local
computer or share folders on your local computer with other computers.
2. Messenger - Disable this service in the Services applet of Administrative Tools. This
service has some serious security bugs and problems and has very little use for managing
the network.
3. Remote registry service - This service should be set to manual or disabled since it allows
people from remote locations to modify your registry. It is a serious security risk and
should only be run if required by network administrators. Set this service to manual or
disabled in the Services applet of Administrative Tools.
4. Secondary Logon service - If it is not necessary for lower privileged users to use the "Run
As" command to run commands that only administrators or power users can run, this
service should be disabled.
5. Universal Plug and Play Device Host service - It broadcasts unnecessary information
about the computer running the service. It may be used by MSN messenger. This service
is a high security risk and should be disabled unless dependent services are required.
6. Wireless Zero Configuration service - Used to support wireless connections. If you are
not using wireless, this should be disabled. This service is a high security risk and should
be disabled unless needed.
7. Computer Browser - For home users and most organizational users, this service can be
disabled. Running this service is a moderate security risk.
79. 79
8. NetMeeting Remote Desktop sharing - A person on a remote computer can access your
desktop to help you. This service may be used by network administrators to help users
with tasks. Normally this service should be disabled unless needed. Running this service
is a moderate security risk.
9. Remote Desktop Help Session Manager service - A person on a remote computer can
access your desktop to help you. This service may be used by network administrators to
help users with tasks. Normally this service should be disabled unless needed. Running
this service is a moderate security risk.
10. Network DDE Service - Provides network transport and security for Dynamic Data
Exchange (DDE) for programs running on the same computer or on different computers.
It allows two running programs to share the same data on the same computer or on
different computers. Running this service is a moderate security risk. Normally this
service should be disabled unless needed.
11. Network DDE DSDM Service - Manages DDE network shares. Running this service is a
moderate security risk. Normally this service should be disabled unless needed.
12. NT LM Security support provider - Used for backward compatibility with older Microsoft
operating systems. Running this service is a moderate security risk. Normally this service
should be disabled unless needed or set to manual.
13. SSDP Discovery service - Allows the computer to connect with networked plug and play
devices on the network. This service does not support internal PnP devices. This service
should be disabled unless the computer needs to connect to external networked plug and
play devices.
14. Telnet service - The telnet service allows a terminal connection to or from a remote
computer but sends passwords in the clear. Running this service is a moderate security
risk. Normally this service should be disabled unless needed or set to manual.
15. Terminal services - Allows a remote connection from a remote computer usually used by
network administrators to help users. Running this service is a moderate security risk.
Normally this service should be disabled unless needed or set to manual. This service is
commonly used by system administrators to administer servers remotely.
16. Alerted service - The alerted service allows system administrators to send messages to
selected users. This service should be disabled unless specifically needed.
Types of servers that need hardening (This list is not inclusive of all devices that should be
hardened):
1. File sharing
2. Email Servers
3. Web servers
4. FTP servers
5. DNS servers
6. DHCP servers
7. Database servers
8. Domain controllers
9. Directory servers
10. Network devices such as firewalls, routers, and switches
81. 81
1.0 Overview
This policy defines the minimum training for users on the network to make them aware of basic
computer threats to protect both themselves and the network. This policy especially applies to
employees with access to sensitive or regulated data.
2.0 Purpose
This policy is designed to protect the organizational resources on the network and increase
employee efficiency by establishing a policy for user training. When users are trained about
computer use and security threats, they work more efficiently and are better able to protect
organizational resources from unauthorized intrusion or data compromise. This policy will help
prevent the loss of data and organizational assets.
3.0 Training Categories
Training categories will include but not be limited to the following areas:
Basics:
1. What files are
2. How to set view for details and show extensions for known file types
3. Why not seeing file extensions is a security hazard to you
4. File storage size - how to determine
5. Mail attachments
6. Where to store files
How to use your network drive
What your network drive is and what it means to you
7. How to copy files
8. Ways to increase efficiency on the computer such as keyboard shortcuts
Ways to get malware:
1. Through email
2. Through browser
3. By connecting
4. By installing unapproved programs
Email viruses:
1. How they spread
2. Spoofing sender
3. Dangerous attachments
Email SPAM
1. Protect your email address
2. Filtering spam
Hoaxes:
1. Phishing
2. Fraud methods
Email use
1. How to set up email for remote users or with your ISP with POP3
2. How to set up out of office reply
3. How to set mail filtering rules
82. 82
4. How to use, import, and export personal folders
5. What an undeliverable response to an email message means
Use of web browser
1. Safe browser?
2. Avoid adware and spyware - ignore ads that may compromise your computer or
get you to install an illicit program
3. How to change browser settings for better security
4. Products to prevent malware.
Passwords
1. Why protect my password?
2. Why do I need to change my password every 30 days
3. How to change your password
4. How to choose strong passwords that you can remember
5. If I log in on a website can someone see my password?
Other
1. Reasons for firewall -- worms and others
2. Why worry about malware?
3. What is a vulnerability?
4. Why not run all services?
5. Social engineering
4.0 Training Opportunities
Basic training as listed in section 3.0 shall be provided internally by the organization and shall
include the following opportunities:
1. Scheduled training seminars for 1 to 4 hours per day.
2. Brown bag lunch training for lunch time training for up to 1 hour per day on one or two
days per week.
5.0 Requirements
All organizational staff shall make measurable and continuous progress in the training areas listed
in section 3. Each employee manager shall be responsible for ensuring that employees under their
supervision make progress in the required training areas. Each employee must retain knowledge
about training in areas listed in section 3 within the first year of employment.
6.0 Enforcement
Since training is very important to the security of the organization, auditing shall be used as a
mechanism to be sure the training policy is being followed. Auditors may test employees at
random about their knowledge in the areas listed in section 3. If an employee gets malware on
their computer, they may be audited.
84. 84
1.0 Overview
This policy defines the use of mobile computers in the organization. It defines:
1. The process that mobile computers must meet to leave the corporate network. Both the
device and any sensitive data should be password protected.
2. How mobile computers and devices will be protected while outside the organizational
network.
3. The process that mobile computers must meet to enter the corporate network when being
brought into a building owned by the organization.
2.0 Purpose
This policy is designed both to protect the confidentiality of any data that may be stored
on the mobile computer and to protect the organizational network from being infected by
any hostile software when the mobile computer returns. This policy also considers
wireless access.
3.0 Scope
This policy covers any computing devices brought into the organization or connected to
the organizational network using any connection method. This includes but is not limited
to desktop computers, laptops, and palm pilots.
Note:
To write this policy, consider data and the sensitivity of the data stored and viewed on the
mobile computer including:
1. Email
2. Data the user is working on that is stored locally.
3. Cached data that is stored locally such as cached data from the user's browser.
Windows XP allows for cached files to be encrypted using the encrypting file
system (EFS).
4. Data from the internal network that the user may access while the computer is
outside the network.
5. Locally stored user names and passwords.
Consider loss due to:
6. Theft - should locally stored data be encrypted?
7. Hard drive failure
4.0 Responsibility
The user of the mobile computer will accept responsibility for taking reasonable safety
precautions with the mobile computer and agrees to adhere to this policy. The computer
user will not be allowed to have administrative rights unless granted special exception by
the network administrator. The user of the computer agrees not to use the mobile
85. 85
computer for personal business and agrees to abide by the organizational computer usage
policy.
5.0 Connection Terms
8. Devices connected to the organizational network must be determined to be a
benefit to the organization rather than convenience by the designated IT manager.
9. All mobile devices owned by the organization or allowed on the organization
network must be identified by their MAC address to the IT department before
being connected. (Possibly require static IP address)
10. The device must meet the computer connection standards described in the
following section.
11. The device operator must be identified by name and contact information to the IT
department.
12. The computer device operator must be familiar with the organization's acceptable
use policy.
13. Devices not owned by the organization are subject to a software audit to be sure
no software that could threaten the network security is in operation. All
computing devices are subject to a software audit at any time.
14. Access rights to the organizational network cannot be transferred to another
person even if that person is using an allowed computing device.
6.0 Mobile Computer Protection
1. Any mobile computer owned by the organization shall at all times operate the following
for its own protection:
1. Antivirus program named _________________ with the latest possible virus
updates. The program shall be configured for real time protection, to retrieve
updates daily, and to perform an anti-virus or malware scan at least once per week.
2. A firewall program named _________________ with the latest possible updated.
The program shall be operational any time the computer is connected to any
untrusted network including the internet to protect the computer from worms and
other malware.
3. Additional malware protection software shall be active on the computer in
accordance with the anti-virus and malware policy.
4. The operating system and application patch levels must be consistent with the
current patch levels of our organization for similar devices and operating systems.
All mobile computers in the organization shall have wireless access disabled. If
wireless access is used, a specific protocol for wireless encryption shall be
designated and configured. Also the maximum data sensitivity category shall be
noted for the computer depending on the security of the wireless access and other
features of the computer.
2. Policy for mobile computers owned by the organization and removed nightly by
employees with permission to work from home.
1. These computers shall always meet requirement 6.0.1 above.
86. 86
2. If at any time the computer shall fail to meet the requirement 6.0.1 above, the
employee shall report the condition to the IT Security department and a check of
the computer equivalent to any check of an unsecure computer entering the
building shall be performed.
3. It shall be ensured that unauthorized persons cannot gain access to the computer
without a proper user identification and password. Operating systems that do not
safely support this process shall not be used in mobile computers. The IT Security
department will determine and specify the proper tools to be used for
authentication and access controls.
4. Data to be stored on the computer will be evaluated and rated to consider the
sensitivity of the data according to the Data Assessment Process document. Any
data stored on the computer that is considered to be sensitive will be stored only in
an encrypted format, possibly using an Encrypting File System (EFS). The policy
must define the encryption tool to use and how it will be maintained.
5. The computer shall be checked weekly by IT Security department personnel at
designated times when the computer will be entering a secure building area. The
check will include a scan for malware and a test to determine whether the
computer has a worm. The state of stored sensitive data shall also be checked to
determine whether it is encrypted and whether data of too high a level of security
is being stored on the computer. Remove any malware on the computer if any was
detected. Log information about any malware found. Log any information about
data that was not stored properly.
3. Policy for computers being used for travel - Protection of these computers shall be the
encryption of all sensitive data and a requirement for a valid user ID to operate the
computer.
4. These computers shall always meet requirement 6.0.1 above. If any additional software
installation is required, it must be done and configured before the computer leaves the
building.
5. It shall be ensured that unauthorized persons cannot gain access to the computer without a
proper user identification and password. Operating systems that do not safely support this
process shall not be used in mobile computers. The IT Security department will determine
and specify the proper tools to be used for authentication and access controls.
6. Data to be stored on the computer during the time the computer is not in a security facility
will be evaluated and rated to consider the sensitivity of the data according to the Data
Assessment Process document. Any data stored on the computer that is considered to be
sensitive will be stored only in an encrypted format, possibly using an Encrypting File
System (EFS). The policy must define the encryption tool to use and how it will be
maintained. Any data not considered to be safe to be stored on the computer will be
removed using a designated program to be sure it has been removed so it cannot be read
using special technology later. There will be a list of documented sensitive data including
storage locations for all sensitive data stored on the computer. This list will be created
before the computer leaves the facility.
7. If there is a chance that the user will view any sensitive data using their web browser or
other program, cached data will need to be encrypted. Cached data that is stored locally
such as cached data from the user's browser will be set to be encrypted using the
encrypting file system (EFS). This may require Windows XP or some third party
software. In Windows XP, this may be enabled using the following procedure:
87. 87
1. Open "My computer"
2. Click on "Tools" and select "folder Options".
3. Select the "Offline files" tab.
4. Check the box next to "Encrypt offline files to secure data".
5. Click "OK" to exit.
8. If the computer will acquire irreplaceable and valuable data while on the road, the
computer user must notify the IT department so arrangements can be made for a method
to back the data up.
Policy for computers being used by contractors
1. The computer will first be checked for compliance with section 6.01 above.
2. The computer will be scanned for malware and tested to determine whether the computer
has a worm. Any malware on the computer shall be removed if any was detected. Log
information about any malware found.
3. If the computer is in compliance with section 6.01 and contains no malware, the
contractor shall report any sensitive data related to the organization that is expected to be
stored on the computer.
4. Data to be stored on the computer will be evaluated and rated to consider the sensitivity of
the data according to the Data Assessment Process document. Any data stored on the
computer that is considered to be sensitive will be stored only in an encrypted format,
possibly using an Encrypting File System (EFS). The policy must define the encryption
tool to use and how it will be maintained.
5. The ID of the computer shall be recorded and it shall be certified for use on the
organizational network.
6. The computer shall be checked weekly by IT Security department personnel at designated
times when the computer will be entering a secure building area. The check will include a
scan for malware and a test to determine whether the computer has a worm. The state of
stored sensitive data shall also be checked to determine whether it is encrypted and
whether data of too high a level of security is being stored on the computer. Remove any
malware on the computer if any was detected. Log information about any malware found.
Log any information about data that was not stored properly. If the computer is storing
data improperly, the certification of the computer shall be reviewed.
7.0 Protecting the Network
Mobile computers entering the network shall meet the following requirements.
1. If the computer is owned by the organization and used regularly by employees according
to 4.0.2 above, then the computer shall be checked according to that part of the policy.
2. If the computer is owned by the organization and is returning from a period when an
employee used it for travel, the following check shall be performed.
1. Determine whether the anti-virus program is up to date, has the latest virus
definitions, is configured properly, and is running properly. If it fails one of these
conditions or has not been scanned for a virus within the last week, a full virus
scan must be done before the computer can be used in the building.
2. Test the computer and scan for additional malware such as adware or spyware test
to determine whether the computer has a worm.
88. 88
3. Test the state of stored sensitive data to be sure it is encrypted.
4. Remove any malware on the computer if any was detected. Log information about
any malware found. Log any information about data that was not stored properly.
3. If the computer is owned by an outside organization the following must be done.
1. The outside organization must agree in writing to allow a malware scan of their
computer and agree pay any costs if malware is found on their computer.
2. A full virus scan must be done.
3. Test the computer and scan for additional malware such as adware or spyware test
to determine whether the computer has a worm.
4. Remove any malware on the computer if any was detected. Log information about
any malware found. The outside organization may be billed for services depending
on organizational policy.
8.0 Enforcement
Since improper use of mobile computers can bring in hostile software which may destroy the
integrity of network resources and systems and the prevention of these events is critical to the
security of the organization and all individuals, employees that do not adhere to this policy may
be subject to disciplinary action up to and including dismissal.
90. 90
SEH ISD300-PoE Print Server
Item#: YYI1-H01540 | Model#: M03722
Price:
$1,48608
SEH ISD300-PoE Print Server Product Details
The Cost-Effective Spooling Solution with PoE-Technology!
Print job spooling is one of the core tasks in a network. Inefficient spooling by means of traditional servers causes
performance problems, is expensive and requires a lot of administration.
The ISD300-PoE puts an end to this!
The ISD300-PoE Intelligent Spooling Device connects to your network as a specialized network appliance,
effectively spooling and managing all print jobs and handling all print queues - simple, cost-effective and highly
available!
And it offers a large range of application scenarios!
Power-over-Ethernet (PoE) Technology
ISD300-PoE is equipped with Power-over-Ethernet technology.PoE-enabled network devices are powered via the
data cable; eliminating the need for an external power
91. 91
HP LaserJet Enterprise 700 M775f CC523A Multifunction Printer - Color Laser, Up to 600 x 600 dpi, Up to
30 ppm, 1536MB Memory, 320GB HDD, 8.07" Touchscreen, Hi-Speed USB 2.0, Ethernet
Item#: H24-30400 | Model#: CC523A
Price:
$5,44999
HP LaserJet Enterprise 700 Multifunction Printer Product Details
HP LaserJet Enterprise 700 M775f CC523A
Multifunction Printer
The performance-driven industry has finally met its match
with the HP LaserJet Enterprise 700 M775f CC523A
Multifunction Printer. The HP LaserJet Enterprise 700 M775f
CC523A Multifunction Printer is a hardworking
multifunction printer that boasts a stunning A3 color, robust
scanning features, and high volume paper capacity minus the
hefty price tag. Copy, scan, print, and fax with up to 600 x
600 dpi resolution from virtually anywhere using your
smartphone or tablets – thanks to its HP ePrint. With up to 30
ppm print speed,you can definitely enhance your
productivity. This printer's 8.07" Touchscreen makes
navigating the device's features a breeze, as well as displays
the content and settings with an outstanding clarity. Make use
of its Ethernet capability to connect the printer to a wired
network, and further enhance yourworkflow. So if you want
a printer that caters to all of your documenting needs,
purchasing the HP LaserJet Enterprise 700 M775f CC523A
Multifunction Printer is the way to go.
What It Is And Why You Need It:
Multifunction Printer; allows printing, faxing, scanning,and copying high quality documents
8.07" Touchscreen; makes navigating the features a lot easier
Hi-Speed USB 2.0; lets you integrate various USB capable devices
Ethernet; allows easy connection to a wired network
HP ePrint; enables printing from your smartphones or tablets
High-capacity automatic document feeder; keeps large scan and copy jobs moving