Need help on another info system question

Discussion in 'General Off-Topic Chat' started by notrustinsasuke, Apr 10, 2014.

  1. notrustinsasuke
    OP

    notrustinsasuke Advanced Member

    Newcomer
    85
    2
    Jul 12, 2013
    United States
    A small research company in Pittsburgh is working to develop a new method of mass storage to replace current hard drive technology. Four engineers and an office manager work there. The engineers are highly skilled professionals, and the office manager is a capable computer user. The company has an always-on Internet connection because employees must conduct research frequently. The employees have hopes of making a breakthrough and bringing the company public within the next two years. You have been hired as a security consultant to assess the company’s needs. Write a paper recommending what type of security policy should be used (open, moderately restrictive, or highly restrictive) and what security technologies should be used. On what areas should the security policy focus (physical security, data security, auditing, passwords, and so forth), and what technologies should be used to secure these areas?

    what do you guys think should be used?
     
  2. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,522
    9,359
    Nov 21, 2005
    You get some very odd questions. It would depend entirely upon the requirements of the people and situation on the ground.

    For instance do they require remote access as this would change a lot of how I play it out. Is there expected to be any staff turnover? I guess not and it is small enough to not matter as far as new users. However some aspect of rogue staff might need to be catered for (dump the database and run, also what about the camera in a phone?).
    Am I a continuous security consultant or am I expected to deliver something of a turnkey solution?
    What is my budget?
    Do you have any idea of the potential attackers?
    Do they already have intellectual property protection in place? If I already have a patent on a method and I am just bringing it up for manufacture then it is a different ball game.

    Obviously existing research and new research would need to be protected.

    Would I need to protect the internet searches? A list of patent searches and searches for articles on say vertical magnetic domains means an awful lot to me. On the other hand it is not something I would go completely overboard trying to protect.
    Are you also responsible for printouts? I dive in the bin and find listings of results for Fe3O4 doped with various percentages of Te or something and my company now does not have to find the best ratio through expensive trial and error.

    What about backups? For the most part I would be far more concerned with those, though they also present a security issue -- a nice offsite backup can also mean someone wanders out with a nice unencrypted USB drive to stick in their malware infested home machine.

    At the very least I would stick R&D on a separate network from management, possibly having another for internet research. Given my own way I would consider having an internet free entirely separate physical network for the results and monitoring*.
    *naturally you could wire in a SNMP trap or something so they could monitor experiments at the weekend, though if you are going to leave nice juicy ports free I would blacklist the macs of those machines in the other internet facing network.

    USB drives are an issue. I have been known to glue fill the USB ports. If we are going crazy then firewire has presented a few issues over the years (it kind of has full memory bus access after all).

    What value of machines are they playing with? Science/engineer, especially where electronics, materials, physics and chemistry collide, is not a cheap game. See also things like fabless semiconductor company.

    Related to the above am I also sorting insurance out for them, worse am I working with their existing insurance?

    Again it is a really vague question and I would need to know so much more.
     
  3. Foxi4

    Foxi4 On the hunt...

    pip Reporter
    23,558
    21,536
    Sep 13, 2009
    Poland
    Gaming Grotto
    This is a weird question indeed, I have no idea what to suggest. WPA2-Enterprise as the wireless protocol so that users can only log in using their lenghty company logins and even longer passwords, plus added Certificates to make logging on as painful as humanly possible? Restricting the use of portable drives? Encrypting hard drives? Metal detectors at all exits so that nobody nicks the ultra-secretive prototype? :rofl2: