Running head: UMBRELLA CORP SECURITY POLICY

Umbrella Corp Security Policy

Patrick F Bigler
CMIT320

Umbrella Corp Security Policy

At the time of writing the Umbrella Corporation has some fairly glaring security issues that
need to be addressed in this modern day. There has been a growing threat relating to information
technology security issues in the recent years and the threats will always continue to grow.
Currently there is no dedicated staff to handle security concerns and address threats and breaches
to our network, these tasks are currently done by desktop support specialists. Adding dedicated
staff to handle security concerns will greatly increase our organizations network security. We
will be able to specifically seek out trained and educated personnel that specialize in various
types of security needs.
Current Situation
Currently as stated above we are lacking in specialized support for our organization. We
have three main technical areas that need to be addressed as soon as possible. These areas are
disaster recovery, group policy object management, and network/infrastructure security.
Currently most of the other parts of our infrastructure are fairly secure besides the ones
mentioned. We have a good physical security policy and have excellent tracking of employees
while inside the facility.
Disaster Recovery
The disaster recovery capability is currently at an abysmal state. Umbrella Corp has one
dedicated file server which is located with all other servers we maintain. It has 6 SCSI hard
drives but is not configured to allow redundancy. No RAID is currently configured. My
recommendation is to convert to RAID5 which will allow both a performance increase as well as
redundant data storage in the event of a drive failure. We currently have more than enough hard
drive space to accommodate this transition. I also recommend we procure a tape drive backup

system. This is highly recommended prior to making the transition on the file server to a RAID5
solution. Differential backups should be performed once every weekday at midnight and a full
backup will be performed on Saturday at 4AM while all employees are gone. These backups will
be backed using the tape drive system and every day and stored in the financial office with
customer data during the week and then every Monday the tapes from last week will be delivered
to the company rented safety deposit box at the local bank across town to reduce the possibility
of a fire or other disaster destroying all data. The people who currently maintain the file server
will be in charge of performing the backups and the mail team will be responsible for delivering
the tapes to the financial offices and the current Chief Financial Officer (CFO) will make the
delivery of tapes to the bank on Mondays as they are the only allowed person to have the safety
deposit box key.
Group Policy Objects
We need immediate modification to the organizations Group Policy Object (GPO). Many
of the settings are acceptable but we need to make modifications to our workstation policies.
Currently I recommend the following changes to the GPO inside the Account Policy and
contain both the Password Policy and the Account Lockout Policy group.
Policy
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity

Current Setting
0 passwords remembered
120 days
0 days
4 characters
Disabled

New Setting
12 passwords remembered
45 days
14 days
10 characters
Enabled

requirements
Account lockout duration
Account lockout threshold
Reset account lockout counter after

1 Minute
0 invalid login attempts
0 Minutes

60 Minutes
4 invalid login attempts
240 Minutes

The changes recommended to our GPO will help ensure users are more mindful about their
passwords. Currently the way things stand there is nothing that would stop an attacker from
attempting to brute force guess our passwords remotely.
Network/Infrastructure Security
Our firewall has not been reconfigured since it was originally installed and is overdue for
some dedicated attention. We currently have 9 servers which reside in the Demilitarized Zone
(DMZ) and are very vulnerable to outside attacks. I propose we move the servers into a separate
private network using 192.168.111.0/24. I then propose we build configure static NAT entries for
each of the services that requires outside access to reach internally. Specifically the HTTP(80),
HTTPS(443), FTP(20), SSH(22), SMTP(25), IMAP[TLS/SSL](993), Cisco VPN(4500). All
other applications can be added as the need arises. A survey was done in October of 2013and
these were the only services being used legitimately. Aside from the proposed firewall changes
we also need to make two hardware swaps. Currently there are four hubs being used, two in
human resources office and two in the research and development office. Using hubs both
increases the risk that users might sniff network traffic and obtain sensitive information as well
as degrading the bandwidth available due to increased collisions and unneeded broadcasting of
traffic.
Conclusion
In summary if we do not make the recommended changes to our infrastructure and security
policy it is simply a matter of time before we have a catastrophe that we cannot recover from.
The fact that we have several terabytes of data and have not had a hard drive failure yet is simply
miraculous luck and will not hold out forever. The changes to our GPO help reduce the
possibility of our user accounts being compromised which will lead to greater organizational

security. Last but not least we have several vital servers that are accessible from the internet
without any restraints on the type of services outside users are able to access. This is a major
concern that users could reach compromised customer information by accessing the database
ports directly from the outside. All of these changes fit together to create a more secure
environment for the company and ensure our ability to grow along with the future as security
becomes an even bigger focus on todays industry leaders.