Network Security Configuration and

Access Control

Introduction
This report is written to highlight the simulation of industry practices for
network security and management. The applicable insights of firewalls
and access control policies will be a key point of this report to decide the
legal and ethical considerations that will be used. The given case study
stated that Kaplan Financial is a growing mid-sized Australian company
and is currently facing a network security such as unauthorised access,
phishing attacks, and malware infections. The company itself has large
structure to manage, and each department has their own functionality.
The structure such as Executive Leadership is handling strategic
oversight, Client Services which is handling client’s financial planning and
portfolio, Human Resources which is dealing with the employee
performance and records, IT Department which organises the IT
infrastructure and secures any potential threats, and Administration which
is operating day-to-day operation within the guidelines. Kaplan Financial
also providing all the fifty employees with company laptops using the
company Wi-Fi and for remote work. This company also have internal
server which operates to host critical operations including Customer
Relationship Management (CRM) which is client management, Human
Resource Management System (HRMS) which manages all employee data
and performance, Security Information and Event Management (SIEM)
which manages the security and monitoring each access, and Corporate
Performance Management (CPM) which operates and analyse corporate
performance. These critical applications are the subject that need to be
protected from various attacks.

Access Control Model

The highlighted departments above show that each department has their
own responsibilities and urgencies. Managing access of data for each
department is essential to maintain the security inside the company.
Access control is the process of restricting access to resources and
ensuring the only authorised users can access and manage the resources.
The principles of Access Control are Least Privilege which limits the users
to perform their actions on given authorised access. Separation of Duties
is the principles which divides the task between users to prevent errors
and misuses. Defence in Depth is a layered security approach that
protecting systems and data by multiple layers of security. Access Control
Models is the framework for managing and restricting access to resources
based on the policies. The type of Access Control Models such as
Discretionary Access Control (DAC), Mandatory Access Control (MAC),
Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC)
and Rule-Based Access Control (RUBAC). Considering the functionality of
each department and the framework of Access Control Model, the
appropriate access controls to Kaplan Financial are Role-Based Access
Control (RBAC) and Attribute-Based Access Control (ABAC).

The Role-Based Access Control (RBAC) is a main framework that is

suggested because by controlling access based on the role, the issues can
be tracked for efficient troubleshooting. Here is the breakdown of Access
Control Design with the least privilege principle:

1. The Executive Leadership: This role is limited to accessing the

Corporate Performance Management and only can be accessed by
the executive leadership, as executive leaders are not required to
manage every layer of the system. Instead, this department needs
to analyse and manage Key Performance Indicators (KPIs) to set a
strategic goal and make a sustainable growth. Limiting the access
control can be a effective way to prevent internal breach by the
department to interfere any other departments. The limitation is
also protecting CPM network from any other unauthorised users to
access.

2. Client Services: This department needs to be assigned only to

access Customer Relationship Management and only can be
accessed by the Client Service. This network focuses on the
customer interactions and experience by data so that the customers
are satisfied, and the goal can be achieved. The limitation of Client
Service is to protect CRM from other department and also
preventing the Client Service department to access other networks.

3. Human Resources: This department is limited to only access the

HRMS and only can be accessed by the Human Resources
department, because the HRMS is dedicated to Human Resources
department that including employee data management and payroll
processing which contain sensitive data. By limiting HRMS only can
be accessed by Human Resource department means that these
sensitive data can be protected from any other department to
prevent internal interference
 4. IT Department: This department is a key of securing all the network,
this means this IT Department can access every networking area
including CPM, CRM, HRMS, and SIEM. Security Information and
Event Management (SIEM) can only be accessed by IT department
because this network contains all the essential aspects of network
security such as log management to track and analyse security log,
and User and Entity Behaviour Analytics (UEBA) to identify user
behaviour and early detection of malicious activities.

5. Administration: This Administration department only can access all

tools related to day-to-day basic operational. This limitation
happened because administration department is one of the gates of
attacker to enter the system.

Additionally, Attribute-Based Access Control (ABAC) is also required to

protect the system because this access control model is efficient to limit
all access internally. This access control model is granted based on
attributes that has been set by the company such as location, time of
access, and selected devices that can access the network and company’s
data. Attribute-Based Access Control is a good early prevention framework
that can eliminate malicious access or activities by foreign devices.
Location based attribute can also be used to secure network security that
the network can only accessed in the company building and not outside
the building. This practice can add defence layer so that the unauthorised
access can be minimalised.

Kaplan Financial Access Control Policy

1. Purpose

This policy is set to be an access control infrastructure that protect

Kaplan Financial’s network, data and information systems from any
kind of malicious activities such as unauthorised access, external and
internal breaches. This policy is aligned with ISO 27001, the Privacy
ACT 1988 (Cth) and the Cybersecurity Act 2018.

2. Scope

This policy applies to all employees, contractors, consultants, and third-

party users who access Kaplan Financial network and information
systems, whether onsite or remotely.
3. Policy Statements
A. Measures to Prevent Unauthorised Access
- Multi-Factor Authentication (MFA) is an obligatory step to access
every networks related to data and information systems.
- All system accessed will have limited access time that can be
adjusted based on the sensitivity.
- SIEM will record any log all access attempts whether it is
successful or unsuccessful

B. Secure Access for On-Site and Remote Workers

On-site Access :
- All on-site access must logged-in with access id that is given from
the company for employees, contractors, consultants, and third-
party users.
- The usage of firewall, antivirus and encryption is a must for every
devices that connected to the network.

Remote Access:

- Every remote devices will obligated to do Multi-Factor

Authentication (MFA) with secured VPN.
- Antivirus and updated OS are encouraged.

C. Access Control Principles

Least Privilege
- Limited access for certain data networks for departments use
- Access granted based on permission from head of department

Separation of Duties

- Prohibiting single user to have all access and control in the

information systems and data.
- To any critical actions will be divided into executors and
supervisors to prevent misuse and frauds.

D. Impact on Critical Network

- CRM : Access is restricted only to the related department which is

Client Services. Role-Based Access Control is used in this
impact to reduce misuse.
 - HRMS : Only can be accessed by Human Resources Department.
All log access will be recorded because this network contains
employee sensitive data

- SIEM : Only accessible for IT Security and department. This

access will be monitored and every access need to have Multi-
Factor Authentication (MFA) which will make a multiple layer
protection.

- CPM : All accesses are limited to the Executive Leadership and

authorised party such as analyst, and IT security.

E. Firewall Configuration Implications

- Geographic-blocking is applied to prevent malicious access from
certain location domain.
- Firewall routine audit needs to be done periodically
- Troubleshooting any firewall problem needs to refer the log
record and authorised personnel.

F. Additional Policy

Security Awareness
- The security awareness training will be held annually with various
frame work including ISO 27001:2022 Annex A , Privacy Act 1988
(Cth), Cybersecurity Act 2018 and NIST SP 800-53 .
- “See and Report” policy needs to be applied in day-to-day basis
operational.

4. Enforcement

This policy is a company standard aligned with various security

framework. Any breach to this policy may result penalties, termination of
contracts and law.

5. References

- ISO 27001:2022 Annex A Controls

- Privacy Act 1988 (Cth)
- Cybersecurity Act 2018
- NIST SP 800-53 .
Justification of Access Control Policy
The Access Control Policy is Kaplan Financial’s strategic move to
encounter daily-basis risk of breach and attack. This policy also based on
multiple information system frameworks that focus on access control in
order to gain the ISO 27001 certifications.

The Privacy Act 1988 number 19 section 14 principle number 11 about

limits on disclosure of personal information stated that a record-keeper
who has possession or control of a record that contains personal
information shall not disclose the information to a person, body, or agency
unless its consensual and agreed by the individuals. However, the
limitation of privacy data can be obtained by applying access control
based on the networking information systems mentioned above such as
CPM, CRM, HRMS and SIEM by Role-Based Access Control. These
approaches aligned with the principle stated in The Privacy Act 1988
number 19 section 14 (Privacy Act,1988). In the same section, principle
number 6 also stated that access to records containing personal
information where a record-keeper has possession or control of a record
that contains personal information, the record-keeper has an authority to
refuse or provide any access under the applicable provisions. This
statement also supports the Access Control Policy.

The cybersecurity act 2018 stating about data protection and safe
networking environment that information system infrastructures need to
implement multiple layer defence that can prevent any attacks and
breach. These actions can be gained by applying multi-factor
authentication (MFA) and least privilege principles. These enhancements
can be added by provisioning and auditing periodically so that it can
establish a secure environment with sustainable and high standard of
services.
ChatGPT Interactions