In this phase you will choose either Aircraft Solutions or Quality Web Design as the company you will work with. The scenarios are in Doc Sharing in the Course Project select area. You will then identify potential security weaknesses.

Security weaknesses - You must choose two from the following three areas (hardware, software, and policy - excluding password policies) and identify an item that requires improved security.

To define the asset or policy with sufficient detail to justify your assessment, your assessment must include:

* the vulnerability associated with the asset or policy
* the possible threats against the asset or policy
* the likelihood that the threat will occur (risk)
* the consequences to mission critical business processes should the threat occur
* how the organization's competitive edge will be affected should the threat occur 

To clarify an item that requires improved security, you must identify one of these items:

* one hardware and one software weakness
* one hardware and one policy weakness
* one software and one policy weakness

Other required elements include:

* Cover sheet
* APA-style
* In-text citations and Reference section
* Minimum length 3 pages, maximum length 5 pages (not counting cover sheet, diagram(s), references). Do not exceed the maximum length. 


Company Overview
Quality Web Design (QWD) is an organization that specializes in Web site and Web content design for all types of businesses. QWD's mission is to provide top quality Web design that will increase consumer generated revenue to QWD's customer Web sites. QWD's database contains over 250,000 proprietary images and graphical designs that will enhance most Web site's appeal to a target demographic. 
Business Processes
Quality Web Design has several mission critical business processes. First is the use of the repository of Web site templates, custom written scripts and/or custom applications. This repository is stored in a Microsoft Visual Studio Team Foundation Service (TFS) server. This application is used to monitor the project development lifecycle of custom Visual Studio applications from inception to deployment, including the quality assurance testing phase. Other critical business processes are QWD's accounting, payroll and Marketing operations all of which are supported by IT assets. There are strict technology-based access controls associated with each of these systems to ensure that only authorized personnel cam access tje,. 
Digital Assets 
These are shown in the network diagrams below
WAN
• (2) T1 Frame Relay circuits connected to the Internet.
• ISP controlled Internet routers
• Corporate Firewall Model: Juniper ISG2000 integrated Firewall, VPN, and Intrusion Detection and Prevention system. Remote office firewall is a Juniper SSG140.
• L2TP/IPSec VPN tunnel between the corporate firewall and the office firewall to allow for secure data flow.
Corporate Office 
• Internal LAN switch is an HP 5400zl series with 147 ports with 10/100/1000 GB connectivity.
• (2) HP ProCurve MSM410 Access Point US wireless access points.
• Microsoft TFS code repository consists of 1 Web server, 1 application server, and 1 database code repository.
• Web server includes, Microsoft Share Point portal for department document and Web sites. Corporate intranet site.
• Microsoft SQL 2008 Database server used for storage of custom designed graphics and custom application image control system.
• File and Print server services.
• Microsoft Exchange 2007 email servers, include (2) Client Access (CAS) and Hub Transport (HT) Servers, 1 backend mailbox servers.
• HP Storage Works SAN with 6 TB disk space.
• (2) Microsoft Windows 2008 domain controllers.
• Approximately 50 user computers, 35 laptops and 15 desktops.
• (4) network printers
• (30) Mobile devices, IPhones, and Windows Mobile 6 devices.
Remote Office: 
• HP ProCurve Switch 3500yl-48G0PWR intelligent Edge. This is a 48 10/100/1000 GB port intelligent switch.
• (2) HP ProCurve MSM410 Access Point US wireless access points.
• Microsoft TFS code repository, consists of 1 Web server, 1 application server that connects to the database server in the corporate office through the IPSec tunnel.
• (2) Microsoft Windows 2008 domain controllers.
• File and Print server services.
• Approximately 20 user computers, 15 laptops and 5 desktops.
• (2) Network printers
• (15) Mobile devices consisting of IPhones, and Windows Mobile 6 devices.
Externally Published Services
Corporate and remote offices have the following services that are accessible for employees. From corporate owned computer or mobile device employees can access VPN, Outlook Web Access for email, or Active Sync for Exchange server. On any computer in the world employees can access Outlook Web Access for email. Customers are only allowed to access to the Corporate Web site.
Security Controls
There is a published corporate security manual that covers the following security practices. Username standard including having a separate account for any elevated privileges. Password length, complexity, rotation and history requirements. Data classification levels depend upon what type of data each system contains and security group accounts control access to each data classification level. Security training is also describe and required communications quarterly and annual training classes.