Managing IT Security and Risk

Overview
In this coursework, you will work on a scenario relating to a multinational company with a strong online presence. Initech is a medium sized company employing 1550 staff across their four branches (London, Manchester, Rome and Singapore). They have grown from a British start-up to a globally renowned end-to-end tech platform specialising in taking brands direct to consumers worldwide, through their own technology platform. Food supplements, nutrition and beauty are the domains they focus on. Key information will be supplied upon release of the coursework.
Scenario key information:
A new CSO (VP of Security) has been appointed (that is YOU – you have this role!)
You have to review the information provided relating to the company (e.g. their IT infrastructure, their products, their organisation etc.) and suggest IT Security improvements. You cannot interfere with the business model of the organisation (you cannot ask to change the way they conduct their business, e.g. no more online presence we will move to a paper based system!).
Hint: Think in terms of people, processes, policies, procedures.
Following a few IT security incidents resulting in data loss, GDPR breaches and penalties the decision was made to invest more in their IT security and compliance.
In terms of IT infrastructure, their IT estate includes approximately 50 servers (Centos and Windows), 900 laptops (Windows and MacOS), 600 desktops (Windows, Linux, MacOS) and a number of core infrastructure devices (Cisco routers, Fortigate firewalls and load balancers, Cisco VPN devices and core switches).
Virtualisation is used as well as cloud solutions (Azure and AWS).
VoIP and Cisco phones are used and the network is converged.
A part of the corporate network is still flat and the use of a shared network drive for all staff is in place.
This is used as a common share to store various client data, sometimes confidential.
Employees work often onsite on client projects. Their devices are not always encrypted, and they are allowed to install software on an as needed basis. This helps to reduce IT support involvement and workload.
Email is used widely often also used to transfer various files as needed including quotes and client information.
The joiner’s onboarding process is not standardised as different teams follow their own plan. Joiners learn on the job sometimes shadowing, sometimes through trial and error.
Yearly training is not provided but members of staff are advised to find someone to shadow or to use an online resource such as YouTube to obtain the required software and related skills.
Hierarchy and job title not aways map to access rights as some staff have multiple roles not always matching their job role. Limiting their access to data will add to the workload of the IT support.
Management of the devices has become an issue as it is manual and takes too much time as the there is no MDM in place.
Vulnerability management is not implemented currently.
Security monitoring is not implemented because the systems are not configured for monitoring and there is no SOC support in place.
System patching is performed manually by users – users will receive an email and they will be asked to apply an update – there is not centralised solution in place.
Logging is very basic if not existent and account segregation is not enforced.
There is a team of developers that develop code for the organisation but they do not follow a standardised approach.
Testing and evaluation of new code sometimes takes place on production systems.
The test, development and production environments are not segregated appropriately and there have been instances that the test data made it to the production environment.
Logging is not implemented and there were instances that incident response was needed but there was no logging at all available.
Backups are not performed due to lack of HD space.
Databases do not have roll back functions enabled and there is no logging enabled due to HD space.
Account sharing is used to reduce IT workload.
The IT estate infrastructure is not monitored and a SIEM is not in place.
Physical security lacks and on a number of occasions unauthorised employees and guests accessed restricted areas.
There is a test environment, a development environment and a production environment. Remote working is allowed and users often work remotely. A Web based interface is used that can be accessed across the world instead of a VPN.
Some of the equipment used by Initech can be seen next but this is not a complete list (as a complete list is not available) and additional equipment will be needed to reach alignment to PCI requirements.
Dues to various upgrades to the network over the years a network diagram is not in place. Feel free to produce one if you feel it will help you with your recommendations. If you do decide to produce a network topology diagram consider the different locations, the business requirements and the security requirements etc.

Router Juniper MX204 18.4 6
Virtual servers Windows servers Windows 2016 21
Linux servers Centos 7.7, 7.8 29
VMware Physical host/vCentre VSphere client/vCentre ESXi 6.5 5
VMware Orchestrator VMware Orchestrator 7.3 4
VMware PSC VMware PSC 6.5 4
Workstations/Laptops Microsoft Windows 10 Pro 520
MacOS 10.15.4 400
Storage Array HPE Nimble Storage 5.1.4 4

Task 4
The company recently set as their immediate target to become PCI DSS compliant. Review the PCI DSS 3.2.1 standard requirements (available to download from https://www.pcisecuritystandards.org/document_library/).
Based on the key information provided about Initech, critically discuss the applicable changes they would have to implement if they wanted to be aligned with the PCI DSS (only requirements 1 to 4).
Hint: Often before any changes towards a compliance goal can be made, foundational changes might be requirewd to allow for these changes (e.g. the creation of teams, change of processes, departments or a new or additional IT infrastructure). Please make sure you mention any such foundational changes.
[30 marks]

Task 5
You are tasked to create an asset management procedure and an asset management policy. Your lecturer will provide a relevant word template.
[20 marks] [10 marks]  
Grading Criteria
+70%: An excellent report (complete) answering all questions, demonstrating an excellent understanding of the concepts and with an excellent conclusion.
+60%: A good report (complete), answering all questions, showing some understanding of the concepts and with a good conclusion
+50%: A reasonable report (complete), answering all questions and with a conclusion
+40%: Report mostly complete, most questions answered and showing only a basic understanding of the concepts
+30%: Report incomplete, or demonstrates little or no understanding of the concepts poor conclusions
Marks will be reduced for a report that is not professional, for example not proofread, not formatted accordingly.
The content must be appropriately selected for the task e.g. if a screen capture or reference to a product or service is included this needs to be relevant, focused and the right size, with an appropriate explanation and clearly defined.