SECURITY ASSESMENT REPORT

March 15, 2017

C. Naaykens, Student
Kennebec Valley Community College
Information Systems Security
Confidential and Proprietary Information: Need to Know
 Security Assessment Report
March 15, 2017

Report Prepared by:

Cindy Naaykens, CSI Student
cindy.naaykens@gmail.com
(207) 491-5245

Kennebec Valley Community College

Fairfield, Maine

The information contained within this report is considered

proprietary and confidential. Inappropriate and
unauthorized disclosure of this report or portions of it
could result in significant damage or loss. This report
should be distributed to individuals on a Need-to-Know
basis only. Paper copies should be locked up when not in
use. Electronic copies should be stored offline and
protected appropriately.
 CONTENTS

INTRODUCTION 1
Scope 2
In Scope,2
Out of Scope,2
Acquired Information 3
Physical Security 3
Grounds,3
Buildings,3
Main Entrance ,3
Administrative,3
Other Administrative Buildings;3,4
Manufacturing,4
Other Production Buildings,4
System Assets 4
Mobile Equipment,4
Desktops/Monitors,5
Policies 6
In Place;6,7
Development,7
Training,7
Auditing,7
Enforcement,7
Network Infrastructure 8
Server,8
Switches,8
PC’s,8
Mobile Equipment,8
Network Infrastructure 8
Network Management,8
Authentication,9
Authorization,9
Auditing,9
Prevention;9,10
Detection,10
Recovery,10
ASSESSMENT 11
Physical Security 12
Grounds,12
Buildings,12
Main Entrance ,12
Administrative Wing,12
Other Administrative Buildings,12
Manufacturing;12,13
Other Production Buildings,13
System Assets
Mobile Equipment,13
Desktops/Monitors, 13

Policies 14
In Place;14
Development,14
Training,14
Auditing,14
Enforcement,14
Network Infrastructure 15
Server, 15
Switches, 15
 Network Infrastructure 15
PC’s. 15
Mobile Equipment, 15
Network Management,15
Authentication,16
Authorization,16
Auditing,16
Prevention,16
Detection,16
Recovery,16
Recommendations 17
Physical 17
Grounds/Buildings,17
System Assets ,17
Mobile Equipment,17
Desktops/Monitors,18
Policies 18
In Place;
Development,
Training,
Network Infrastructure 18
Introduction
This security assessment has been prepared by an Information Systems Security student
at Kennebec Valley Community College. Information Systems Security is a required class in the
Computer Systems Integration degree program. The assessment is based on information that was
collected through correspondence, observation, and one two-hour meeting. The information was
provided to the student to assist with completing the requirements of the course. As a walk
through was not done, previous employment at this site provided information on the
manufacturing area. Substantial changes have occurred within the facility since December 2015
and this information may be incorrect or no longer relevant. The goal of this assessment is to
assist the student while providing the company with the opportunity to have an outside
perspective on their operations without compromising the company. The company will receive a
copy of the report to review prior to it being submitted to the school. The company will also
receive recommendations that bring to their attention any potential security issues that may have
been overlooked. For security reasons, the company will remain anonymous and findings will be
kept confidential. Any information that is inaccurate or confidential will be corrected or deleted
prior to the report being submitted to the school for a final grade.
The manufacturing facility that was assessed is part of a large corporation. Directly
employing approximately 300 people, in addition to outside contractors and vendors. There is a
wide range of equipment connected to both the internal facilities network and the corporate
network. This network has many different platforms that are used by employees, contractors, and
vendors. Some business is conducted on the network with outside contractors. This business
requires the transmission of sensitive data to outside facilities. For this assessment laptop
computers were not directly assessed. It was assumed that they would follow the same
guidelines as desktops and mobile phone access.
The goal of this assessment is to present a topical view of the manufacturing facilities
network security, in addition to giving a student the opportunity to begin developing the skills
necessary within the IT field.

Page | 1
Scope
In Scope
The following activities are within the scope of this project:
 Interview with IT Manager and IT Analysis.
 Written questions in relationship to analysis focus.
 E-mail correspondence with contact person.
 An assessment/recommendation for each area that was addressed.
 Observation
 Previous employment experience at facility

Out of Scope
The following activities are NOT part of this security analysis:
 A series of Network Scans to assess the system.
 Penetration testing of systems, networks, or buildings.
 Social Engineering to acquire sensitive information from staff members.
 Testing of Disaster Recovery Plans, Business Continuity Plans, or Emergency
Response Plans.
 Detailed information: number of users, platforms used, number of servers.

Page | 2
 Acquired Information

Physical Security
Grounds
 The perimeter of the facility is surrounded by fence
 Entrance points are gated and have posted security guards
 External areas are monitored by cameras
 Volume of monitors, monitoring procedure, and storage of camera recordings is
unknown
 Foot traffic is limited to designated areas
 Separate turnstile with proximity swipe card entrance for contractor foot traffic
 Rail Road runs through facility grounds

Buildings
Main Entrance
 Monitored by cameras
 Entry to area does not require additional authorization
 Additional entries open to outside grounds areas
 Open computer lab – no authorization required for entry
 Access to manufacturing area and other areas from this point

Administrative
 Locked door requiring badge for entry
 Lobby area within wing
 Emergency Exits
 Door separating IT Department – no badge required
 No badge swipe for exiting area

Other Administrative Buildings

 Perimeter is fenced

Page | 3
  Entries unmanned
 Computer lab open and unmonitored
 Entry into wing requires employee badge swipe

Manufacturing Facility
 Multiple entry points
o No additional requirement for entry
o No monitoring of entry
o Network racks are secured in locked units/areas

Other Production Buildings

 No authorization required for entry
 Monitoring information not available

System Assets
Mobile Equipment
 Phones
o No virus protection
o Token verification
o Remote wipe ability
o Unknown policy/procedure for issuing and tracking equipment

 Scanners
o Used within manufacturing
o Secured on mobile equipment
o Policies/Standards not known
o Unknown policy/procedure for inventory /location of equipment
o Unknown if secured in stationary areas

Page | 4
Desktops/monitors
 Not secured to locations
o Some monitors are mounted to wall within lab area and control rooms

 Generic sign on and password in manufacturing

 Continuously on
 Unknown inventory tracking process/procedure

Page | 5
Policies
In Place
 Employees Information Security Policy
o Acceptable Use Standard
 all employees tested annually
o User ID and Password Standard
 90-day duration
 8 characters including capital letter, number, and special character
 IT Security Policy
o Access Control Standard
 Least Privileged
o Application Source Code Standard
o Change Management Standard
o Data Center Security Standard
 Control access to switches and server
o Data Integrity Standard
 Transmission of sensitive data

 Encryption
o Logging and Log Review Standard
 Administrative Account
o Network Security Standard
 Securing Firewall
o Platform Security Standard
 Patches and updates
o Procurement of IT Resources Standard
 All purchasing of network resources goes through IT
o Secure Operations Standard

Page | 6
  Physical and Network
o User ID and Password Standard
 Duration, Length, Requirements
 Mobile Device Policy
 IT Security Policy
 Employee Information Security Policy
o Acceptable Use Standard
o User ID and Password Standard
Development
 Receives policies from corporate headquarters
 Some input from the locations
 Policies mandate what must be done
 Standards tell how to comply with policy
 The Corporate Security Officer is responsible for reviewing the policies on a
regular basis

Training
 Required of every employee annually
 Minimum score of 85% necessary
 Group policies are pushed out to mobile devices
 Administered via an on-line training application

Auditing
 Managers monitor employee training progress

Enforcement
 Every employee is responsible for compliance
 Training provides employees with how to report incidents
 Work prohibited if employee does not complete required training in a reasonable
time

Page | 7
Network Infrastructure
Server
 Placement - low traffic area
 Entry with proximity badge swipe card
 Bullet proof glass on exterior of room
 Elephant barrier outside the building
 Room monitored for temperature, humidity, and water
 Outward facing servers controlled by corporate

Switches
 Placed in protected areas
 Monitored
 Password protected

PC’s
 IT’s set to automatically log off after 5 minutes of inactivity
 All connected
 Virus protected
 Monthly patches
 Daily virus scans

Mobile Equipment
 Mounted to vehicles such as fork and clamp trucks
 Phones are company owned

Network Management
 Quarterly vulnerability scanning of critical servers
 Managed with Active Directory
 Outward facing servers managed by Corporate
 Applications managed by owners
 Obsolete software segregated

Page | 8
Authentication
 Password based
 VPN is token based
 PIN number required for access on mobile devices

Authorization
 Denied by default
 Provided at multiple levels to provide redundancy and resiliency
 Role based were available
 Access permissions can only be enabled, disabled, or changed by authorized
personnel
 Principle of Least Privileged used for access
 IT manager approves or denies authorization of access
 Applications are managed by owners
 IT verifies access does not create a segregation of duties issue
 Changes of access must go through a formal process
 The process for granting access to Controlled Systems musts be documented
 Users are set up with the same access as employee who previously held a position
 User access list must be maintained and periodically reviewed

Auditing
 Outside auditing
 Publicly traded company with Federal auditing guidelines

Prevention
 Monthly security patches

 Cryptographic checksums
 Cyclical redundancy checks
 Simple checksums

Page | 9
  VPN’s in place
 Filters and firewalls installed
 Virus protected
 Weekly virus scans
 Obsolete software is segregated from the network
 Vendors software only run on standard platform
 Data signing techniques used during storage and/or transmission
 Data reconciliation controls between connected systems
 All purchasing of system equipment goes through IT

Detection
 IDS and IPS in place

 3rd party monitoring

 Pings on switches
 System notifications set up for large data draws and/or pc failures

Recovery
 Backups stored both on and off site
 Backups are monitored

Page | 10
 Assessment
In today’s world of the internet and technology data security should be a company’s top
priority. Due to the sophistication of attacks, the proliferation of attack software, and the scale
and velocity of attacks system security is continuously changing and becoming more
complicated. One attack has the potential to destroy a business. As the State of Maine has
recently experienced, having a third party manage your data does not always provide the security
a company would hope for. The most recent incident that occurred involving the CIA and FBI’s
data should reiterate the importance of continually assessing how you protect your data.
This assessment is designed to heighten your awareness about security within your
company. It is not designed to be a lengthy in-depth system or corporate assessment but a
general overview of your facility and its first line of defense. Each area that has been covered
will receive one of four ratings above average, average, needs improvement, or undetermined
due to insufficient information. Following the assessment recommendations broken down by
area will be provided for you. These recommendations are intended to give you a place to pause
and give specific areas a more in depth review.

Page | 11
Physical Security
Grounds
One of the easiest ways to compromise a system is to gain access to it. The facility has
utilized many different security measures to prohibit unauthorized entry onto the grounds. These
measures create a large determent for criminals.
Overall the physical security of the grounds is average. There is a fence surrounding the
premises with the entry points being monitored. This facility projects the image of being very
secure, which will deter random malicious activity. There are several items I feel warrant being
looked at more extensively and are included in my recommendations.

Buildings
Once entry to the grounds is obtained the buildings’ security is your networks next line
of defense. An individual can do extensive damage to a network within a short amount of time,
all that is needed is to have access to one unattended, logged in terminal, or a username and
password.

Main Entrance
The main entrance is monitored by cameras but no additional security checks are
required. This area is rated as needs improvement. This is an area of high traffic that connects
the administrative and production areas, the hub of the business. This area provides unrestricted
access to outside areas in addition to parts of the manufacturing process and the manufacturing
area. A computer lab within this area is open and unattended.

Administrative Wing
To gain entrance into this area the swipe of a proximity badge is required. The additional
verification puts this area into the average to above average rating. This is also a high traffic
area that has several hallways. Included in this area is an unmanned lobby. Entry into the IT area
from this point is made through a glass door that has no additional security measures. It is
unknow if contractor badges allow entry into the administrative wing.

Other Administrative Buildings

These buildings also require a proximity badge for entry. It is unknow if this area is
monitored with security cameras or if a contractor’s proximity badge has entry privileges. These
areas are rated average.

Manufacturing
Due to the nature of this business most entries into the manufacturing and production
areas are open. No additional verification is needed after gaining access to the grounds.

Page | 12
Information on monitoring of the entries is not available. Many of these entry points are away
from the workforce, in remote areas. This area is rated as needs improvement.

Other Production Buildings

To the best of my knowledge, no verification is required for entry into these areas. No
logs are kept to monitoring individuals entering or exiting. Security cameras are not visible in
these areas. Again, many of these entry points are in remote areas away from the workforce.
Individuals can travel without intervention. This area is also rated as needs improvement.

System Assets
Mobile Equipment
Mobile equipment such as phones appear to have their data well protected, but it is not
known what the policy entails for issuing and inventorying the equipment. Information is not
available on scanning equipment that is mounted to mobile units, therefor the rating in this area
is undetermined.

Desktops/Monitors
Desktops are not secured to locations but some monitors are. The process of monitoring
the location of the equipment is unknown. This area rates as needs improvement.

Page | 13
Policies
Policies are the foundation of a secure system. A policy that is effective will not be static
but constantly evolving with your system. Employees will be active participants in developing
the policies and trained on the policies. Policies should be a part of everyday business and taken
seriously. Development, implementation, training, auditing, and enforcement are important parts
in securing a network.

In Place
This company has taken policies one step further and issues procedures that explain how
to comply with a policy. An above average rating is placed on policies. The combination of
policies and procedures should clarify any questions. As these policies were not reviewed, but
the information contained in the policies, gathered by interview the clarity of the content could
not be verified. IT Security Policies will be considered more thoroughly within the Network
Management area of Network Infrastructure.

Development
The development of policies is handled by your corporate office and has included input
recently from this individual facility. Involvement by effected parties is an important part to
developing good policies. Processes and procedures can vary and policies should reflect these
variations. In a constantly changing area such as IT, continuous review and updating of policies
is a necessity. Your policies are required to be reviewed on a regular basis. Average is the rating
that is placed on the development of policies. This will be discussed further within the
recommendations.

Training
The best possible policy cannot compensate for training. Policies are put in place to
protect both the company and the employee. An employee who is well trained on an employer’s
policies will strengthen a company’s security. Many companies fail to realize the impact training
has on their policies. Requiring training on a yearly basis is standard for most companies. The
yearly computer based training you have set for employee training are average.

Auditing
Auditing of your employee’s policy training by their manager in addition to the auditing
required by our government can be considered average for a business within your sector.

Enforcement
Enforcement of your employee training is average to above average. Every employee is
expected to complete the training and denied work if the training is not completed. How the
policies other than the training are enforced is unclear and undetermined.

Page | 14
Network Infrastructure
A networks infrastructure consists of the hardware, software and other resources that
enable network connectivity, communication, operation and management. Security is defendant
upon these factors.

Server
Access to a server can lead to a network being compromised. Protecting your server
from unauthorized access has been well planned. Many different layers of protection have been
utilized to prevent the server unauthorized access. These protections of the physical and software
nature. An above average rating is given for server security.

Switches
Switches receive an above average rating due to the assurance that they are in protected
areas and are monitored.

PC’s
PC’s are protected with the necessary anti-virus software and scans are run on a regular
basis, patches are performed monthly. IT’s pcs are set up to log off with inactivity for 5 minutes.
Within the administrative area your rating is average. Areas to consider for improvement are
within manufacturing and listed in the recommendations.

Mobile Equipment
Mobile Equipment can include many different items. This facility’s mobile equipment
consists of devices attached to clamp trucks, lap top computers, and mobile phones. During the
fact finding meeting mobile phones policies and standards were discussed but other mobile
equipment was not. You do have a mobile equipment policy and security measures. Security
measures include remote data erase, token, pin number verification, and no use of personal
phones for company business giving you an average to above average rating on the phones. It
was not determined what additional equipment is covered in the mobile equipment policy or
what protection is provide for additional mobile equipment therefore the rating for these items is
undetermined.

Network Management
Network management is composed of the implementation of policies, procedures, and
software that is used to secure your network. The information gathered indicated that changes
have been recently made in relationship to network security and management. Policies are in
place to guide IT in the management of your system. Active Directory is your source to manage
the network. Scans are done on a regular basis of critical servers. Obsolete software has been

Page | 15
segregated, and owners manage their applications. Overall your facility has an average to above
average rating. Being proactive is vital to a networks security.

Authentication
The purpose of user authentication is to protect your company and its information from
unauthorized access to your information. One authentication method is used within your facility,
user name and password. Outside access is token and pin based. Internally manufacturing pcs
access the network with a generic sign on and password. Manufacturing environments are
historically insecure A single authentication method with minimum strength requirements will
place you within the needs improvement rating. .

Authorization
In place is a complex set of policies and procedures that enable your IT department to
effectively issue authorizations. Authorization is not determined by a single individual nor does
a single individual have sole authority for these reasons you are above average.

Auditing
Auditing is conducted by an outside entity; the guidelines are mandated by your company
structure and are considered average within this industry.

Prevention
There are many security layers in place at this location to prevent a security breech.
These preventive measures range from physical security of the grounds, buildings, and assets to
active virus protection with scans to the filters and firewalls that are in place. Recently IPS and
IDS has been implemented to assist with prevention. Your rating in this area is average to
above average.

Detection
Third party monitoring, IDS, IPS, pinged switches, and notification set up for large data
draws qualifies your facility as above average for detection.

Recovery
Recovery is critical to the mitigation of damages should you lose your network for any
reason. Backups are stored both on and off site, and monitored. The combination of these three
factors without specific information on recovery policies and standards puts you as average for a
facility in your industry.

Page | 16
 Recommendations

Physical Security
Grounds / Buildings
Your performance in the physical security area overall is average. There are several
places that I would consider improving upon. Manufacturing can be an area that is difficult to
secure because of the traffic required to keep the process running smoothly. The places I would
question if improvements can be made without adversely affecting the process are:
1. Dedicate the task of viewing security monitors to one individual. This task
warrants undivided attention to be proficient. It was observed that the security
individual responsible for viewing the monitors was responsible for several other
duties. These duties distract from what is being picked up on your security
cameras.
2. Installing doors in the main entrance that require proximity badges set up by
job for entry into different areas.
3. Monitor the railroad area. This could include gates across the railroad tracks
that could be opened remotely when necessary.
4. Install a tracking system on RFID badges for visitors, contractor, and vendors.
5. Secure computer labs. Doors with access systems should be considered for
these areas. Logs should also be kept for these resource areas.

The reduction of individuals having the ability to be in unauthorized areas without

detection or documentation could deter malicious activity.

System Assets
Mobile Equipment
1. Install virus protection on mobile phones.
2. Develop and implement a policy specific to devices used in
manufacturing that connect to the network. This policy would include
disabling access for equipment that is mounted to clamp trucks when the

Page | 17
 equipment is removed from service and removal of IT assets when
equipment is taken out of service.

Desktops/Monitors
1. Securing desktops to assigned locations – lock them down or together.
2. Reduce easy hard drive access – lock covers on units
3. Disable UPB ports.

Policies
The facilities performance is average to above average in relationship to policies.
These policies and the value that is placed on them by the employer and the employee
determine their effectiveness. Relating the content of these policies to employees’
personal lives enables an employer to engage more of their work force. I would like to
recommend consideration in the following areas:

Development
1. Include employees in the development of future policies
2. Review policies on a more frequent basis.
3. Set requirements above minimums – increase complexity of passwords
and frequency of change

Training
1. Increase the frequency of training.
2. Include mandatory group or department discussions as part of annual
training.

Network Infrastructure
The security information that was covered pertaining to your facility ranked
average to above average. Of the information covered there were not any blatant issues.
The following topics were not presented but I feel warrant review.
1. The storage of obsolete equipment or the policy of clearing data from
equipment that is no longer in service.

Page | 18
2. Developing a policy that requires authorizations to be reviewed prior to setting
up a new user on the network. With the structure of the jobs changing so
frequently within your facility is it safe to give authorization based on the
previous employee’s authorization? Review of priorities by a manager prior to the
access being authorized seems reasonable.
3. Printers and copiers can store information. Confidential employee information
could be in the memory of these devices. Consider having IT review equipment
prior to removal for stored information. Clear all information before equipment
leaves the premises.
4. Do you use hashing within your facility?
5. Review manufacturing’s open user id and passwords for network use.
Implementing user ID and passwords by area and crew would demonstrate the
importance of ids and passwords while proving another tool to track any issues.

Page | 19