This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
An big English pharmaceutical company asked me a consultancy on how to manage the security within and outside the premises. There are several IT, data, and physical threats for the company such as environmental threats, internal threats and infrastructure threats. It will be covered how to manage the security policy of a smartphone the company decided to adopt, iPhone 4, it will be seen how, in terms of security, the last version of this device can take place within the company. Will be also identified and discussed how to prevent incidents within the premises: in the past inconvenient episodes took place across the company's departments and they went unnoticed and unpunished. It will be seen also how to manage the physical and data security according the Information Security Standard ISO27001, highlighting how espionage may take place and how to prevent it.
A pharmaceutical company in the Midlands, named Pharma Solutions, researches both medicines and vaccines for the World Health Organisation's three priority diseases: HIV/AIDS, tuberculosis and malaria. They are very proud to have developed some of the leading global medicines in these fields but in the past there have been a number of incidents of industrial espionage which lead the Company to hire me to tighten security. These incidents took place across departments including Research & Development and went unnoticed and unpunished. For covering the security problem at 360Â° I am going to describe the possible internal and external threats of the company (task 1), listing for each of those a possible scenario and a possible solution to prevent them.
The company would want me to write a short security policy to the company's security policies that will address the use of the iPhone 4 within the premises. This policy doesn't want to supersede any other existing Pharma Solutions developed policy, but wants to be and integration of the existing documents. Furthermore, we assume the company has already a general policy for smartphones in which has made the decision to not allow employees to use their personal smartphones for business.
In the third task I will deal with the espionage problem of the company. I will be seen a 360Â° view of the possible way a spy or a malicious employee could steal or tamper with documents and equipment. It will be given an overview of the problem of sabotage too, since nowadays these two threats work usually together.
In the appendixes has been added both integrative and supporting material related to the content of these three tasks.
The document will end with a small paragraph that will revise what we have seen and learnt in this scenario.
Before starting it is necessary to make assumptions about anything not covered in the scenario described in the text of the coursework. I assume the company, named Pharma Solutions, already owns a security policy, concerning the behaviour that an employee has to follow within the company, and all the procedures which people and infrastructure have to adhere to (such as banning cameras, writing smart passwords, etc..). It has to exist also a policy that treats with smartphones owned by the employees. Furthermore we assume that the servers are not locked in a server room, they are all in the same area and that the server room does not respect the rule for a good management, such as cooling system, raised floor, etc..
we assume also that:
the USB and network drives access is allowed to all employees;
wireless printer is not protected by any encryption key;
nobody checks visitors' ID when they enter the company (without a badge) and no appointments are necessary for visiting the company;
the company does not have any backup plans;
the company is not provided any backup plans;
the company is not provided with any Uninterruptible Power Supply needed for the typical weather in the midlands;
the company has no automatic water pumps in the basement in case of internal flooding;
the kitchen has any fire security system and any wall and doors fire proof;
the company has not any CCTVs or lighting;
the car parking has not any fencing;
the networking design does not consider the use of network monitoring or stackguarding for preventing buffer overflows.
The company does not use any paper shredders
All the employee's workstations run the last Windows Operative System named "Seven"
In the following table it is possible to see the main threats of the company sorted by importance. Please refer to appendix B for the sorting explanation.
Disclosure of information and theft of data
A person could access the company as a visitor then fill the pass with false name and move within the company using social engineering's behaviours
Steal important documents, try to use computers, plug in USB drives, fingerprint the company, steal hardware (expensive or containing sensible information)
hire guards. Hire a secretary for welcoming and controlling people access.
Services provided through the Network
Backup links and bad network design disclose information if the traffic gets sniffed. One Internet service can go down: no other Internet service than the one in the diagram -> the company is out from the world. Possible intrusion in the network. An employees could sniff the network traffic setting his network card in promiscuous mode and running a sniffer (with a USB drive - or iPOD at lunch time - using portable applications)
Denial of service, confidentiality and availability of data. Possible unauthorized remote control
(see threats and countermeasures in Appendix C), network configuration control,
server configuration and usage monitoring, network usage surveillance,
data protection [o], stackguarding to prevent exploits. Install IPS and IDS. Install Proxy, Bastion and Honeypot. Encrypt the internal traffic where possible. Add another internet connection (ISO 27001 A.14.1.2). Authorize only Company released USB drives
Problem with servers: most or all data loss
No way to restore data
Backup program (every night) and regularly testing backups. ISO27001 A.10.5.1, A.14.1.2 with offsite storage and encrypted. Periodically check their correctness and completeness 
Data (CIA) and network
An employee can use a USB drive to own a machine and spread out a virus
Confidentiality of data, safety of the network
The system administrator should protect the Bios with a password, force booting by Hard disk avoiding booting via USB, CD or other media. Allow the system to mount only authorized media
A laptop or a USB could be been stolen or lost.
Confidentiality of data, equipment
Keep the data in the device encrypted. Insurance on Laptop
Data confidentiality and network compromised
Possible to read the document printed using wireless printing. Get access through the wireless network to other subnets or to the server
Loss of confidentiality of important documents. Server compromised
Protect the wireless communication of the printers using WPA2, Sybase Exchange server to monitor authorized connection
Electric Current: equipment
Due to the bad weather in the Midlands the electric current could be interrupted
Company out of service
Uninterruptible Power Supply (ISO27001 A.9.2.2, A.14.1.2) and an alternative power source, ex. a generator
Documents and photocopier. Integrity, availability and confidentiality of data
Flooding problem: river very close to the company
Document filling accessible by everyone (also cleaners)
Loss of data and electrical devices could get damaged.
Important documents and future plans of the company stolen or copied
Move the equipment and document fillings to the upper floor.
Lock the access to document filling. (ISO27001 A.9.2.1). Automatic water pump at the basement.
External and Internal
Equipment (server), availability of data
Flooding problem (as already seen above): river very close to the company. Water could arrive at the ground floor and damage servers.
An insider of a theft could get inside the company and steal or tamper with server.
An employee or an intruder can read network parameters and device specs from the rack and try to exploit them to penetrate the network and computer system
Expensive servers + confidentiality and availability of data, as well as problems with backup. Lose control of the system if attacks went well
move servers at a raised floor and lock the server room.
keep the information about network and devices configuration protected against unauthorized access (ex. in an encrypted folder or eventually in a locker) - ISO27001 A.10.7.4 +VERIFICARE ART RACKS?
The whole building
The kitchen could be the source of a big fire inside the company
Lose data, devices, days of operability, pay hospital to employee, company's reputation in danger
Self-closing fire door and fire proof kitchen walls and roof. Fire insurance. A.14.1.2
Physical access to reserved areas
A person can move within the company and access departments even if she/he is not allowed.
Steal information from another department and use it for malicious purposes
Use registered magnetic card with PIN code and badge released from the administration office
Using the microwave oven malicious employees could destroy malicious code used for attacking the company from the inside (anti-forensic) or can sabotage the company drives containing important info
Lose important data, Difficult to discover who compromised the company
CCTV, lock important storage devices
Equipment and data
An employee could steal a network drive
Loss of confidentiality and expensive network drive
Keep the media in a safe and secure place. Install a CCTV to monitor the access (ISO27001 A.10.7.2, A.10.7.3). + ARTICOLO
Data confidentiality, integrity
During period of inactivity (ex. lunch time) an employee could access to the computer of another employee if he didn't log of
Disclosure of data, difficult to recognize the actual attacker because used the account of a colleague
CCTV, auto lock the system after 5 minutes of stand by
Private information of the company
An internal attacker (ex. employee) may pick up mail and parcels of other employees and discover information which only managers or responsible could access.
An attacker could know about particular deals the company has with customers or suppliers could and pass information to competitors who would pay them very well. Damage the relationship between company and suppliers or customer Damage the company's incoming.
Provide the entrance with a locked room containing outbox mails and packages. The secretary will be responsible to pick up every morning the mail from each department and deliver it to the mail messenger (courier)
An attacker could tamper with employees' cars or leave an USB drive within the parking area, letting in this way an employee pick it up for curiosity and then try to insert it in his/her workstation computer.
Intrusion within the company's network
Car park fencing. CCTV
confidentiality, integrity, availability of data
While surfing the Internet and downloading emails at lunch time, an employee could download a malware or virus
Disclosure of the information owned by the employee and at worse spreading of the virus within the network
An employee shouldn't be allowed to use company's services for his or her own purposes
As introduced, this policy assumes that employees don't use their own iPhone 4 for business. I decided to follow this thought because we need to separate the purpose of a business mobile phone from a personal mobile phone. To Provide a device to our employees makes us sure that the configuration of the phone practically corresponds to the security policy and allows us to be more restrictive from a certain point of view. For instance it is difficult to block cameras or prohibit Apple App Store purchases if the phone belong to an employee.
Behind the following policy there should be another security policy that denies the use of video and audio recording and regulate the use of smartphones in general. The following policy wants to be a policy for iPhone but a similar one could have been written for general smartphones.
Instead of writing a standard document to accomplish the policy (it is not the purpose of this coursework), within the square brackets I will write some features the standard should follow in order to assure a good security for the data and for the device itself. In real case policies we don't need to write advices for standard within the policy, but we will write complete standard, guidelines and procedures instead.
The sources for writing this policy have been [u] [y] [w].
1.0.0 Apple IPhone 4 Security Policy
The intentions of this Policy are to protect Pharma Solutions employees, partners and the company from illegal actions by either aware or unaware individuals.
This policy is applicable to all IPhone 4 purchased by Pharma Solutions. For iPhones or other smartphones purchased by employees for personal use please refer to the policy "1.0.0 Smartphone Security Policy".
Apple IPhone 4, hereinafter referred to "the device", its software and operating system, network accounts and storage media are proprieties of Pharma Solutions and are to be used for the company's business, and in the interest of the company and of the company's customers in the course of the individual's job.
It is the responsibility of every device user to know guidelines on how to participate to the effort of getting an effective security, and to conduct their activities accordingly.
The aim of this policy is to touch on the acceptable use of IPhone 4 at Pharma Solutions in order to protect the confidentiality, availability, and integrity of data stored, transmitted or processed. These rules serve to protect the employees and Pharma Solutions and improper use exposes Pharma Solutions to risks including virus infiltration, network systems and services compromising, disclosure of data and legal issues.
This policy refers to temporaries, employees, contractors, consultants and other people who operate within the premises, including all personnel connected to third parties. This policy applies to all devices that are owned or leased by Pharma Solutions. This policy will not replace any other existing Pharma Solutions developed policies but may introduce more rigorous requirements than current policies dictate.
1.4.1 General Use and Ownership
Data creates on the company systems remains property of Pharma Solutions. In order to protect Pharma Solutions's network, the company cannot guarantee the confidentiality of information stored on IPhone 4 belonging to Pharma Solutions.
Each departments is responsible for the creation of guidelines concerning the use of the device by an authorized individual. If such policies do not exist, departmental policies will guide employees on the device use, and in case of doubts, employees are welcomed to consult their supervisor or manager.
Because of network maintenance and security, authorized personnel within Pharma Solutions may monitor the device and its network traffic at any time.
Amendments to security policy: this policy may be replaced by new versions realised by Pharma Solutions. The new version will contain the caption "This policy replaces the old policy entitled IPhone 4 Security Policy v.1.0.0".
1.4.2 Security and Proprietary Information
Apple IPhone 4 will be configured or otherwise user will agree to:
whereas possible host the most updated Apple iPhone's operative system [standard: at the time of writing it has been named iOS 4];
install security mechanism and operating system updates from the operating system vendor if required;
confiscate the IPhone 4 when security incidents occur and to follow all required security procedures as well as install required software in order to protect the Pharma Solutions network.
prevent unauthorized access to confidential information such as: competitor sensitive information, trade secrets, customer lists, and research data;
keep the device passwords and passcode secure and do not share them. Users should change their device password every six months;
choose strong device passcode. For more information on how to write a strong password see the standard [the standard: an eight character, or longer, alphanumeric password, ...].
be secured with an auto-lock system that self-activates after a inactivity time out [standard: for NIST 800-63 level 3, the inactivity time should be less than 5 minutes];
use the encryption feature provided by the operative system to encrypt data whereas the hosted applications support it;
have the hardware encryption option activated, due to the vulnerability of the information contained in IPhone 4.
be auto-wiped after a number of time an user types wrong PINs [standard: four times];
set the configuration of the mail applications running on IPhone 4 on "encrypted" mode.
protect the device configuration by a password profile that only the system administrator will know;
have installed a software that will force the employee to adopt future modification of the policy once he connects to the server [standard: ActiveSync];
periodically execute approved and updated virus-scanning;
be aware of the danger of running malware while downloading email attachments;
notify the system administrator if the device has been lost or stolen or if the employee no longer needs to connect to company resources;
keep weekly backups of the device using the proper software name iTunes;
be responsible for break/fix support for the device;
use the Internet only for downloading and sending emails or software updates;
Access the internet only using either Internet SIM-based connection, installed by the Pharma Solutions system administrator or Pharma Solutions Internet wireless connection provided within the company building;
preserve the good condition of the Pharma Solutions' seals installed on the external screws of the device. The purpose of the seals is to avoid alteration or tampering with the device itself.
Participate at security awareness and training programmes whenever requested.
The System administrator of Pharma Solutions, responsible to configure correctly the device and to protect the configuration with a personal password, will restrict also the use of entertainment game and software.
1.4.3. Unacceptable Use
The following are, in general, forbidden activities. Under no circumstances an employee of Pharma Solutions is authorized to use the device against the local or international law.
System and Network Activities
Even if not exhaustive, the list below reports the activities which belong to the category of unacceptable use.
Installation or utilizing software products that are not licensed for use by Pharma Solutions.
Exporting software or Pharma Solutions' intellectual information is illegal. Consult the appropriate management prior to export any material.
Installing or using malicious programs in the device.
Disclose the device passwords or passcode to others or allowing use of own device by others, including family and other house members.
Using the device to send material that violates the sexual harassment in the user's local jurisdiction.
Using the device to make fraudulent offers of products or services.
Use the device to intercept data destined to other users.
Disclose information about Pharma Solutions employees to parties outside Pharma Solutions.
Using or accessing newsgroup or mailing lists.
Using the device's browser to surf the Internet.
Accessing the App Store, installing apps, or both.
Using the device's camera (neither for taking photos nor making videos).
Using of Bluetooth. Use wireless encrypted transmission rather than Bluetooth-based earphones.
Use of wireless connections that don't belong to Pharma Solutions.
Alteration or tampering with the seals put on the device.
Use the device as cellular modem.
Try to tamper with the Pharma Solutions' seals installed on the screw of the device.
The use of location-based services within the corporate, or at customer sites. [L]
Email and Communications Activities
This paragraph regulates the use of the email account belonging to the device. It is rigorously forbidden:
Sending unasked emails, such as "junk mail" or other advertising material, to individuals who did not specifically request them (email spam).
To abuse of the email header sending email that don't belongs to the business of the company.
Writing or forwarding "pyramid" schemes of any type.
Every individual found to have violated this policy will be subject to possible disciplinary action, such as the restriction of his privileges or the ceasing of his period of work in Pharma Solution. Resources will be periodically audited to make software and configuration comply with the present policy. In extreme cases the company can use evidences gather from a malicious use of the device by the employee in front of a court for legal persecutions.
Spam Unauthorized and/or unrequested bulk of electronic mailings.
IPhone 4 Smartphone created by apple, successor to the IPhone 3GS.
Smartphone Mobile phone that has advanced computing and connectivity features similar to a
iOS Operative system made by Apple for its devices such as iPhone.
iTunes Application created by Apple to play and organize digital music and video files
iTunes Store Shop online owned by Apple where it is possible to purchase digital music, video
Apps stands for application, usually referred to Apple's applications
App Store a service provided by Apple that allows to browse and download free or with fee
apps (applications) from iTunes Store
1.7.0 Revision History
This version, named 1.0.0, is the first version of this document.
Avoiding industrial espionage incidents at Pharma Solutions
The aim of the following paragraphs is to identify and discuss the recommendation to avoid industrial espionage. We need to approach the argument valuating physical, IT and data security. Analysing espionage implies to have a 360Â° view of the security of the company to protect.
I am going to face the espionage problem introducing how spies think and can access to Pharma Solution's private information, distinguishing the physical penetration from the remote penetration and social engineering. For every vulnerability that has been found will be seen the relation with the five fundamentals security principles [see appendix A] and I will critically discuss possible solutions in order to prevent Pharma Solutions' espionage.
Espionage is an activity made by either people or only one person who has been hired to break into one or more systems and steals information. He has a specific aim and do not randomly search for unsecured systems as most the of the attackers would do. A spy would want to steal computer-based information, paper-based information or general information about the plans and projects of the target company, has high skills and does that for money.
We cannot talk about espionage without thinking also about sabotage. [e] "Nowadays measures to counter industrial espionage also keep sabotage in mind and try to deal with both malicious operations simultaneously. This is of vital importance as the competition in the market place is growing tougher by the day".[d] and again: "Sabotage is a deliberate action aimed at weakening another entity through subversion, obstruction, disruption, or destruction". [f] In extreme cases I will try to see industrial espionage also to how a saboteur would damage the incoming of Pharma Solutions.
A spy usually starts his work pretending to be a journalist, in this way he can ask much more information without arouse suspicion and eventually discover what should remain in secret about a company. Pharma Solutions' officers should consider such people as a possible threat for the company and weigh up the advantages and disadvantages of disclosing information during interviews.
Another common way to act for a spy is to dumpster diving. He looks for Social Security number lists, financial information, password lists, memos and research papers. Using paper shredders and having trash picked up daily would help to fight this kind of danger.
A spy does not pretend to be only a journalist but also a visitor or a customer as we can see below.
Accessing the building
When we let an external person come in our company we have to be aware of the potential threats: a person who visits Pharma Solutions has to be registered in advance providing Pharma Solutions with his ID and general information and has to book his visit at least two days in advance. This period of time would allow the security officer to eventually check the visitor's identity or other important information. The current scenario of Pharma Solutions shows instead vulnerabilities under this aspect: a spy could access the company claiming to be a visitor, just signing in a visitors book and then picking a blank pass in which he will write his (may be fake) name, and therefore move within the company without many restrictions.
That is why I would introduce at the entrance a guard who enforce the control and a secretary that works on the process of subscription (ISO27001 A.9.1.2): every single person who moves within the company has to be registered and the internal system should be able to keep records of the departments that a person enters or visits.
Specific departments should be accessible only after a person has been identified (ISO27001 A.9.1.1), in this case I would advise to use Smart Cards and a PIN number associated to them. Every person, thus, will have to wear a badge (called also Dumb Card) that reports the person's picture, his name and surname as well as his registration ID and has to be released by the security officer who makes an active decision about the identity of the holder.
The secretary will be also responsible to pick up the mail of the departments and gather it in a safe - locked- place, in anticipation of the (identified) courier for the dispatching and thus the sorting of the incoming mails (ISO27001 A.9.1.6).
Business people should meet their customers in offices different from the one they use to work. We cannot be sure what a person or a spy into the shoes of a customer would leave inside a room. For instance a mini camera are so small that can be placed in sunglasses, in a button, or in a pen, it and can allow a spy to get a lot of data once entered the competitors premises. Mini spy camera jammers make spy cameras useless. "These jammers can be strategically placed in office areas where most of the secret data are being elaborating" [m].
Closing Circuit Television, alarms, locks and lighting are also recommended. The employees should be aware that they have to protect the data they have access to, lock their documents once they don't need or once they leave their desk (this should be included in the security policy of Pharma Solution). Cleaners, other employees, spies or thieves could copy or steal documents and the information would lose their secrecy. Technology and other security systems would be in this sense a deterrent for thieves, but the first step towards the security of data should still have done by employees.
Car Parking: finding USBs
Other ways to penetrate Pharma Solution would be to let an employee find a USB drive in the car parking area. This is a kind of social engineering attack: an employee finds a USB drive in the parking area and the curiosity about the content makes him plug it in his workspace computer. The USB drive has been left on purpose by a spy on the employee's short ride, between the car parking and the company. The USB drive has installed a Trojan Backdoor that allows an attacker (in this case the spy) to have remote control of the infected system, to steal data and try a privilege escalation. This is a important threat for the company and that is why I would recommend to provide a car park fencing, guard at the entrance and to install CCTV too (ISO 27001 A.9.1.3). Visitors or contractors should use a car park different from the one used by the employees in order to avoid external people to tamper with employees' car.
Employee as a company threat towards espionage
"Employees who feel badly treated by their employers and who suffer from an exaggerated sense of entitlement are particularly prone to harming their current or former employers".[g]
Industry espionage comes also from internal threats: employees. They are at the root of effective information governance. An employee may either indirectly disclose information to a spy because unable to follow policies and procedures or could copy (or steal) important documents and bring them out from Pharma Solutions and deliver them to the company competitors. Intentionally o accidentally employees could carry a Trojan in a USB stick and attack the confidentiality of the data, as well as install a backdoor for remote controls.
In the scenario we saw, employees like listening music using their IPod. An IPod can be plugged to the USB port of a computer an may be used to steal data or bring into the company some malwares.
In order to prevent espionage and eventually avoid safety problems I would recommend to implement a policy that forbids an employee to use the workspace for personal uses and to educate employee improving their awareness about security (ISO27001 A.9.1.5). The devices and the information within the company belong to Pharma Solutions and there is no valid reason to use the company's resources for personal uses. Therefore an employee should not be allowed to browse the Internet for his own purposes neither download nor access his personal emails. One of the reason is also because the company emails are filtered and the possibility to install a malware are less than the possibility to catch a malware reading an email unfiltered. The local antivirus are always operative but a good email filtering at the server side improves protection. We have to remember that viruses and malwares may also come from spies or competitors and a good awareness of this threat could help employees to pay more attention in what they do.
Beside forbidding the use of company devices and computers for personal purposes I would recommend to install a keystrokes and a Centralized Monitoring System: "..employers can set policy from the Central monitoring system at a very granular level so the use of USB storage devices can be closely controlled. As well as keeping track of all keystrokes, the systems can be set to record screen shots at regular intervals so a user's session can be replayed, for instance, if the employer suspects any unauthorised access to data..." [a].
The CMS would allow the administrator to control also the use of CD-RW, SD cards and other memory devices. It is obvious that a system administrator should block access to the Bios, forcing the booting from the hard disk (in this way we would block also a person that wants to run a Linux live version on the machine).
The system administrator would want also to allow employees to install only devices that he has approved; furthermore it would be a good idea to let the employees use only IT-approved encrypted memory keys, so that if they're dropped in, the contents will be meaningless to anyone who tries to access.[b]
Other aspects the security policy should include is to adopt a screen saver that automatically block an employee's computer after 5 minutes of inactivity. Furthermore, during the lunch time the employee should lock his system if he leaves the workspace. Employee who goes to work very early in the morning or goes home very late for no reason should arouse suspicious to an employer .
Another vulnerability that would favour industrial espionage is sniffing the network traffic. As we can see from the network diagram an employee's computer belonging to Management, Customer Services or Marketing departments could easily sniff the network traffic switching his computer's network card in promiscuous mode. In this way a machine can listen the traffic destined to other computers on the same network or worse could make a Man-in-the-middle attack.
Furthermore the diagram doesn't use any intrusion prevention and detection system. I would recommend to install an HIDS at the server side and NIDS in proximity of the routers as well as encrypt the network traffic (data can be encrypted using both software and hardware devices) and use Virtual Private Network for preserving confidentiality. Most of the IDSs nowadays can work also in prevention mode. For further description about the wrong configuration of the given diagram please refer to Appendix C of this document.
Another important inconvenient truth could come from the sniffing of the wireless communication between the wireless printer and the employee's computers. If the wireless network isn't protected by an encryption key a spy could sniff it from the outside. What he could sniff is the content of the printings but he could also try to exploit that network to access to others. My advice would be to encrypt the wireless network using a WPA2 key.
Implement a Sybase Exchange server with gating software to monitor unauthorized access to the company's network and use Stackguarding in order to prevent exploitation of buffer overflows, and prevent worms attacks. We don't have to forget also to configure our network in a way that disclose only certain information to scanners to avoid fingerprinting.
Another point of view about networking is the physical aspect: according to ISO270001 A9.2.3, "Power and telecommunications cabling carrying data or supporting Information services shall be protected from interception or damage" this is important to underlying that sniffing or interceptions can be made both using software than accessing the hardware of the company.
Pharma Solutions has server at the ground floor. The description claims it is possible to find more information about the network configuration on the server racks. Servers are part of the main resources to protect. I would advise to move the servers to a raised floor [c] and to keep the server room locked. The room has to have all the basic requisites: fire protection systems, fire proof walls, air conditioner, a copper ground grid for grounding of equipment, a system to run chilled water or other pipes (ISO 27001 A.9.1.4). Servers must have uninterruptable power supplies (UPS, etc..).
Leaving information on the server rocks is not a good idea: a malicious employee or a spy could use them in order to find exploits or vulnerability in the network system. According to the five fundamentals security principles [see appendix A] obscuring the configuration data is one of the main important steps in order to prevent disclosure of information and attacks. Documents about network and systems configuration should stay in a locked drawer.
Network drives, tapes, floppy, and optical disk backups of mission critical computers and sensitive data must be kept in a secure room.
The new polity saw so far allows employees the use of IPhone4s. Until the previous version, IPhone was considered a threat for a Company. Several Exploits were available: spyware that allowed to hear conversations and to activate the internal camera even if the owner were not at the phone in that moment, the famous jailbreak written by Jonathan Zdziarsk that disabled the IPhone passcode and copy the IPhone's entire content, and so on..
With this last version, Apple's IPhone is able to offer good protection to its customers. It is possible to use both software and hardware encryption, longer passcode, all features that together with remote wiping allow a company to sleep almost tight. These precautions are useful from a practical point of view and correspond to the requirements of ISO27001 A.9.2.5.
In the policy saw above (based on the table on the left and the researches made by Forrester [w]) we can note that Bluetooth and browsing the Internet in a Smartphone are still to consider threats for the company, that's why I would limit the use of the device only to downloading or sending emails, using local application, receiving and making calls and use wireless earphones instead of Bluetooth earphones. Furthermore since it is common for spy to change batteries and installing micro spies inside the plastic cover of a phone, I would advise to use company's own seals (or alternative block the screws with Loctite), in order to keep record if anyone has tampered with the phone.
The use of IPhone 4 as cellular modem could be a way to send to unauthorized sources confidential data, without a trace. The modem feature should be deactivated by the system administrator who protect the device's configuration with his own secret password.
Another point of the security policy to underlines the deny of using GPS location-based services. This services such as Foursquare, may allow a competitor to see where we our employees are and to guess with who we are talking (for instance a costumer). Jayanth Angl, senior research analyst at Info-Tech Research [L], says "We're starting to see some questions from enterprises about whether they should be concerned if employees are sharing their location at corporate offices with external parties - is that a risk or is that ok?". The decision taken for writing the iPhone 4 security policy serves to prevent competitors to guess at who we're seeing, the time we spend with customers, etc..
The use of the Antivirus would help to detect and prevent attacks from malicious code while weekly backups would allow a easer recovery process after a disaster (ISO27001 A.10.4.1).
As previously define, sabotage "is a deliberate action aimed at weakening another entity through subversion, obstruction, disruption, or destruction". [f] A denial of service of a company may be useful to increase the request of service to a competitor. Furthermore, reputation is another important factor for a company. In the original scenario there are threats that belong to sabotage: The kitchen is a possible threat for the company: we have to consider that an employee could intentionally leave something on the oven and make in this way a fire. The internal fire could involve the departments of the company thus the accident would make stay at home the personnel and the production could stop, beside the losing of important data. In the kitchen we can find a microwave too. With microwaves it is possible to destroy data [h] such as hard disks' content or some malware brought into the company and that we want to eliminate any traces. I would recommend to use self-closing fire proof kitchen's doors and fire proof kitchen's walls as well as fire alarm system. For the problem of the microwave can be managed mainly using CCTVs as previously discussed.
It is considered sabotage also interrupting the communication link between Personnel and router 4 - that would isolate the Personnel department from the rest of the company - and the link between router 2 and the stack of switches that would cut out IT, Marketing, Management and Customer Services. As said, the denial of service of the company will be equal to the time for recovering the connections links. The network would be safer if it was introduced more redundancy. We can add a backup link between the Personnel department and the IT department as well as put a backup link and a switch between router 2 and customer services.
We can note network anomalies installing Network Intrusion detection and Prevention Systems as shown in the schema proposed.
R&D and Biometrics
The Research and development department uses a Biometric identification system. The text of the coursework says this department does not have any security problem because it is safe but that some event of espionage has happened recently. I would not say the R&D department is completely safe. In fact if the recognition system used is the fingerprint scanning then using graphite powder and adhesive tape it is possible to dupe this mechanism and get access in the department . According to  it would be possible to use also other methods based on a picture of the fingerprinting taken with the same tools and processed using graphical software. The result would be a piece of latex to be used on a the attacker's fingertip.
Voice recognition is another system that is considered not reliable: a person can train himself to imitate the sound of the victim  or through tools it would be possible to manipulate the signal audio making it similar to the one of the victim. Also face recognition is a system not reliable yet. It is possible to cheat it using digital facial images and other methods.
Iris recognition system can be used instead. Even if it is possible to dupe this system printing the pattern on contact lenses, it is still the most reliable nowadays.  I would advise to put a guard and CCTVs in front of the access in order to monitor the entrance beside a Iris Recognition System.
Other aspects are considered relevant for improving security against espionage and sabotage. All the walls and doors of the areas that contain media must be fire proof at an high rate and built from floor to roof. Windows should be avoided in data centres while other windows should be shatterproof.
The company's building should have a good lighting as deterrent against intruders. Visitors and contractors should have escort for reaching their destination within the company. Outside the building, especially during the night guards and dog should inspect the external and internal areas. 
Alarms and devices to detect movements within the building, supplementary power (as described above) that allows interrupted ventilation and checks the right humidity for computers.
Company's Laptops should use encryption hardware and software. Bit Locker with TMP (Trusted platform module) chip or in USB key mode could be a good compromise.
Preventing Espionage means periodically test the company's security. From a technical point of view would be necessary to audit the firewall, keep up to date operative systems and application, run penetration testing, run regular attack scenarios against the company to discover weaknesses and vulnerabilities that may not be discovered by a single tool.
Keep up to date operative systems and application, stay updated with spy technologies, for instance here  it is listed the last technology: Robo-Roaches, Van Eck Phreaking, Laser Microphones, Floating Car Data, Load Monitoring, DCSNet (Digital Collection System Network).
Run brute force attack and dictionary attack periodically to see the strength of users' password
Conclusion (Here you could reflect on what you did tasks 1-3)