Lethe Tech Solutions, 1

ElectroMyCycle
Design Scenario
Assignment 8
18 December, 2016

This Report Was Prepared by:

Lethe Tech Solutions
Marie Whiting
System Administrator and Security Analyst

This report was created for educational purposes and is entirely fictional. These systems have
been created and maintained by this team. All information in this document is confidential and
may not be disclosed to unauthorized persons.

Lethe Tech Solutions, 2

Table of Contents
Executive Summary:........................................................................................................................3
Document Properties:......................................................................................................................3
Version Control:...............................................................................................................................3
Design Scenario Assignment 8.....................................................................................................4
1. What are ElectroMyCycles most important assets that must be protected with security
mechanisms?................................................................................................................................5
2. What are the biggest security risks that ElectroMyCycle faces?.............................................5
3. Design a high-level security policy for ElectroMyCycle.........................................................6
Introduction..............................................................................................................................6
Purpose.....................................................................................................................................6
Scope........................................................................................................................................6
Roles and Responsibilities........................................................................................................6
Sanctions and Violations..........................................................................................................7
Revisions and Updating Schedule............................................................................................7
Contact Information.................................................................................................................7
Definitions/Glossary.................................................................................................................7
Acronyms.................................................................................................................................8
4. Describe how you will achieve buy-in from the major stakeholders for your security policy.
......................................................................................................................................................8
References......................................................................................................................................10

Lethe Tech Solutions, 3

Executive Summary:
Previous assignments and documents have addressed creating a network design for
ElectroMyCycle. The current document will address four essential questions in taking further
steps to design a security solution for this company. These questions include the following:
1. What are ElectroMyCycles most important assets that must be protected with security
mechanisms?
2. What are the biggest security risks that ElectroMyCycle faces?
3. What would designing a high-level security policy for ElectroMyCycle include?
4. How will you achieve buy-in from the major stakeholders for your security policy?

Document Properties:
Name
Classification
Version
Authors
Reviewed By
Approved By
Date Approved

ElectroMyCycle
Design Scenario
Confidential
1.1
Marie Whiting

Version Control:
Version
1.0

Date
18 December, 2016

Authors
Marie Whiting

Description
First Draft

Lethe Tech Solutions, 4

Design Scenario Assignment 8

You are a network consultant who has been asked to attend an initial meeting with the
executive management team of ElectroMyCycle, LLC. ElectroMyCycle manufactures
motorcycles. Its new electric motorcycle was just picked up by a large retail chain.
ElectroMyCycle is upgrading its manufacturing capacity and hiring new employees.
Recently, ElectroMyCycle employees have started saying, The Internet is slow. They are
also experiencing problems sending email, accessing web-based applications, and printing. In the
past, when the company was small, it didnt have these problems. The operations manager
outsourced computer services to a local business called Network Rogues, which installed new
workstations and servers as needed, provided desktop support, and managed the switches, router,
and firewall. ElectroMyCycle is now considering bringing computer services in-house and is
wondering how its network should evolve as it increases production of its electric motorcycle.
In previous chapters you have been asked to do some design work for ElectroMyCycle.
Throughout this process you have kept security requirements in mind, of course, but now the
time has come to focus on security.
1. What are ElectroMyCycles most important assets that must be protected with security
mechanisms?
2. What are the biggest security risks that ElectroMyCycle faces?
3. Design a high-level security policy for ElectroMyCycle.
4. Describe how you will achieve buy-in from the major stakeholders for your security policy.

1. What are ElectroMyCycles most important assets that

must be protected with security mechanisms?

Lethe Tech Solutions, 5

ElectroMyCycles most important assets include the main building and three satellite
locations which should be secured. In addition, a security focus should also be carefully analyzed
at the data center which contains a catalog of company information including employees,
customers, and orders. This center should be high priority for security mechanisms to be put in
place. Second, each of the employees have computers that also contain vital information. Known
precautions should be written into the policy and gone over with the employees to ensure
compliance of security measures that will protect this data. The end user should also only have
access to essential information needed for their assigned job.

2. What are the biggest security risks that

ElectroMyCycle faces?
One of the security risks for the company is client data being distributed. This is why it is
important for security measures to be designed and implemented in all aspects of the company
from the data center to the end users computers. The data center should be a protected place
with only authorized personnel allowed to enter and utilize the system at that location. Security
measures to physically prevent unauthorized people from entering or employees that are not on
duty should be enacted. This will also ensure that the physical devices are protected from ill
intentions. Data should also be backed up at a secure locations and security measures funded and
authorized to protect the backup. This also includes damage from natural disasters like floods,
earthquakes, storms, etc. for both the primary data building devices and the backup system used.
The end users should be aware of the security policies with additional protection installed at their
workstation. These security policies should include password requirements and protection

Lethe Tech Solutions, 6

against unauthorized users physically attempting to access the network. In addition, each user
should be assigned user privileges relative to their assigned duties.

3. Design a high-level security policy for

ElectroMyCycle
Since the security policy is the foundation of the network security system, careful
attention to this document will pay high dividends. Time should be taken to develop these
guidelines that will pay off in the end. Some basics of the security policy that should be included
are as follows.
Introduction -- This component should introduce the companys name for
the security policy and any general information that employees should be aware of
including other security documents.
Purpose -- It is always helpful for employees to understand why a certain
procedure or rule is being created and enforced. This section will provide the staff with
an understanding of both the reason, the policy, and any legal references.
Scope -- What stakeholders fall under the jurisdiction of the policy should be
named here. The company hierarchy and infrastructure can also be explained.
Roles and Responsibilities -- This section would be best used by
breaking down different job roles into separate paragraphs with the accompany
expectations as relating to security for these positions. This section will also include
subsections addressing email and Internet use, personal use, user identification on the

Lethe Tech Solutions, 7

system and accountability, authentication procedures, and incident or intrusion detection
and responses.
Sanctions and Violations -- Procedures for reporting violations or
departments/personnel that should be contacted with questions should be listed here.
Also, this section should clearly state consequences for various violations including the
disciplinary process from verbal or written warning up to and including dismissal.
Revisions and Updating Schedule -- Employees need to be aware that
the security policy is a living document. As such, suggestions and concerns should be
encouraged. This section would list those procedures including who or what department
these suggestions should be addressed as well as how often the security policy is updated.
Also, if there is a committee formed yearly, advising the employees of the procedures to
be part of that group should be clearly stated. Finally, where employees may access the
most current security policy either a hard copy and/or an electronic copy should be noted.
Contact Information -- Even if noted in an earlier section, concise
information as to whom to contact and through what means is preferred should be
mentioned in this section.
Definitions/Glossary -- To provide clarity, all vocabulary or department
names that may be unclear to the reader or to a new employee should be explained in this
section.
Acronyms -- If the company uses a lot of acronyms, spelling them out in this
section will provide the employees and other stakeholders with a quick reference for
needed clarification.

Lethe Tech Solutions, 8

(Information Security Policy -- A Development guide for Large and Small companies, 2007)

4. Describe how you will achieve buy-in from the major

stakeholders for your security policy.
Major stakeholders include buy-in from company employees, vendors, customers, and
any other party associated with the business. If the staff feels like they have had a part in creating
effective security policies and a plan in which to implement the procedures, they are more likely
to adhere to them. Outlining the possible security issues will give employees a starting place in
submitting suggestions in creating a solid security foundation. Include all employees, not just
select groups. Devise a way and procedure for employees to share this information. A
combination of company meetings and suggestion boxes (or emails) would more likely involve
all staff, even those that are hesitant to speak up in larger groups. The suggestions should be
acknowledged and further questions or clarifications asked if needed.
Vendors and customers as well as other interested parties need to know that their
investment and personal information is safe. Gathering comments and concerns from this group
of people and making sure they know that the input is appreciated and will be addressed will go a
long ways in building trust in these essential relationships. In addition to advertising and
recruiting new customers, word of mouth about the reliability of the network system and its
secure status will go far in reassuring new clientele and continuing to build trusted relationships.

References

Lethe Tech Solutions, 9

Information Security Policy -- A Development guide for Large and Small companies. (2007).
SANS Institute. InfoS.