GLOBAL FINANCE, INC. (GFI)

Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. The diagram below displays the executive management team ofGFI: Figure 1 GFI Executive Organizational Chart BACKGROUND AND YOUR ROLE You are the Chief Security Officer, hired by COO Mike Willy, to protect the physical andoperational security of GFI's corporate information systems. Shortly after starting in your new position, you recognize numerous challenges that you will be facing in this pursuit. Your primary challenge, as is usually the case, is less technical and more of a political nature. CEO John Thompson has been swept up in the "everything can be solved by outsourcing" movement. He believes that the IT problem is a known quantity and feels the IT function can be almost entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department. In fact. the CEO's strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Based on this vision, the CEO has already begun downsizing the IT department and recently presented a proposal to his senior management team outlining his plan to greatly reduce the internal IT staff in favor of outsourcing. He plans on presenting this approach to the Board of Directors as soon as he has made a few more refinements in his presentation. COO Willy's act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology services combined with a diminishing IT footprint gravely concemed Mike Willy, and he begged to at least bring in an Information Security expert with the experience necessary to evaluate the current security of GFI's infrastructure and systems. The COO's worst nightmare is a situation where the Confidentiality, Integrity, and Availability of GFI's information systems were compromised — bringing the company to its knees — then having to rely on vendors to pull him out of the mess. COO Willy has reasons for worrying. GFI has experienced several cyber-attacks from outsiders over the past a few years: • In 2013, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputation. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. • In 2014, another security attack was carried out by a malicious virus that infected the entire CEO

1. Ever since an article ran in Fortune about GFI, the network engineers report that they've noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. Suggestions on improvements to perimeter security and the methods of identifying the source of intrusions should be presented in your risk assessment. 90 90 Wireless Antennae
2. 2. The interrelationship between data and operations concerns COO Mike Willy. Increasingly, some of the ten (10) remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company's business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited. Suggestions on reducing network latency or increasing application response time and availability should be presented in your risk assessment. 3. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the COO is concerned with mobility security and would like you to research best practices for mobile computing. Security within the BOD environment should be presented in your risk assessment.
3. 4. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the COO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. Security within the wireless environment should be presented in your risk assessment.
4. 5. The company plans to offer its products and services online and requested its IT department to designs Cloud Computing based e-commerce platform. However, the COO is particularly concerned over the cloud computing security the customer database is breached.

• From the devices and systems identified in the GFI Corporate Network Topology, conduct a thorough asset inventory assign monetary values to each asset (quantitative), and assign a priority value for each asset (qualitative) that could his assets are most critical for rest oral in the event of a catastrophic event or attack.

• Evaluate the .riveter security, make a list of access points internal and external(remote), identify vulnerabilities and make suggestions for improvements to perimeter and network security.

• Evaluate the remote access infrastructure, identify vulnerabilities and suggest security improvements to mitigate risks to remote access.

• Address the COO' s concern over the mobility security and design a secure mobile computing (smart phones, tablets, laptops, etc.) in terms of authentication technologies and data protection. .

• Identify wireless vulnerabilities and recommend what safeguards, authentication technologies,and network security to protect data should be implemented.

• Evaluate the authentication protocols and methodologies within the wired, wireless. mobility and remote access environments and suggest improvements to secure authentication for GFI.

• Evaluate the web system protocols and vulnerabilities within the Intranet server and suggest secure protocol improvements to improve security for web authentication.

• Design a cloud computing environment for the company with a secure means of data protection at rest, in motion and in process.

• Assess all known vulnerabilities on each asset in this environment and impacts if compromised.

• Using the asset inventory and the assigned values (monetary and priority) conduct a quantitative and qualitative risk assessment of the GFI network.

• Recommend risk mitigation procedures commensurate with the asset values from your asset inventory. Feel free to redesign the corporate infrastructure and use any combination of technologies to harden the authentication processes and network security measures. .

• Provide an Executive Summary.

• You are welcome to ma. assumptions for any unknown facts as long as you support your assumptions.

Sample Solution