Case Study in Information Security: Securing The Enterprise

This practical is a case study of an Insurance Company's migration to an enterprise-wide security system. It is the intent of this practical to provide a path to follow when creating or migrating to a security system. Initially, a primitive online security system was the only mechanism to control access to corporate data. The exposures were severe - there were no integrity controls outside of the online environment. Anyone with basic programming skills could add, change and/or delete production data. A project plan was developed to identify tasks, assign resources and ensure milestones were met. The scope of the security initiative included creating an creating new objects (data within datasets), inventory of information assets, constructing new groups and granting the appropriate permissions for access to the objects. Training documentation was created to instruct the users how to access the new system, both in an interactive and batch mode. Mini boot camps were conducted to train the trainers, who in turn, provided mentoring and tutoring for the user community.. Additional staff was recruited from other departments to provide user support for the rollout. D-Day arrived and the rollout experience only minor glitches.