Developing a Secure Virtual IT Lab Environment for Student Use at Dayton College: Sample Master Thesis
Published: January 19, 2012
Revised: January 23, 2012
Abstract
This paper details the project to design and implement a virtual IT lab environment at Dayton College, a fictitious organization. The need for the project was observed by the author as a consequence of a number of policies and incidents, including Trojan infections of computers in computer labs shared by students involved in different disciplines of study. The benefits to the college of the successful completion of the project will be reduced risk to the systems in the shared labs and the production network. A reduction in operating costs will be an added benefit. The author made the assumption that the college will follow through in certain commitments for cost and resources and that the project will remain a priority.
Contents
Executive Summary
CHAPTER 1: PROJECT DESCRIPTION
.....Project Scope
.....Strategic Information Technology Planning Goals
.....Project Assumptions
CHAPTER 2: INFORMATION SECURITY GOVERNANCE AND PRACTICES
.....Governance
..........Formal Project Proposals
..........Recycle Material
..........Short Iterations and Quick Delivery
..........Avoid Extreme Measures
.....Existing Information Security Practices and Purpose
..........Technical Controls
..........Physical Controls
..........Administrative Controls
.....Emerging Threats
..........Proxy Sites
..........Malware
..........Cyber Crime
.....Countermeasures
CHAPTER 3: Implementation Strategy
.....Project Plan
.....Tasks and Schedule
.....Risk Management
..........Qualitative Analysis
..........Quantitative Analysis
..........Incident Response
..........Incident Reporting
..........Risk Review Process
CHAPTER 4: Project Completion and Recommendations
.....Functional Requirements
.....Lab Design
..........Firewall and Router
..........Internal Network
..........DMZ
..........Internet
.....Organizational Impact
..........Goals Met
.....Recommendations
..........Unique User Accounts and Strong Passwords
..........Monitoring Facilities
..........Incident Reporting
..........User Awareness Training
..........Membership in Security Organizations
Conclusion
Research Topics
References
Appendix A: Dayton College Incident Response Procedure
Appendix B: Acceptable Use Policy
Executive Summary
The purpose of this project; which entails the design and implementation of a Virtual IT Lab Environment for the IT students of Dayton College, is to reduce the risk that the college faces resulting from downloading inappropriate material to the college’ PCs. These downloads combined with an environment of unrestricted web surfing have resulted in frequent Trojan infections and open up the possibility of litigation against the college. Secondary benefits to the college include a reduction in operating costs and providing a safe student lab environment to be used to complete lab assignments and perform experimentation.
This paper presents the planning and implementation in four chapters, beginning with a detailed project description; which includes the project scope, goals, and assumptions. A second chapter focuses on information security governance and practices at the college. This chapter sheds light on the emerging threats facing the college that this project addresses. An implementation strategy is covered in the third chapter complete with the project plan and risk management procedures.
The lab design and road blocks are covered in the fourth chapter. The encountered roadblocks and work-a-rounds are highlighted along with the impact to the organization and recommendations developed as a result of project research.
The conclusion defines the measure for success of the project and presents possible research topics or next steps developed as part of the project post-mortem.
Developing a Secure Virtual IT Lab Environment for Student Use at Dayton College
Dayton College, a fictitious organization, experienced incidents because of a flaw in security policy and network architecture. The incidents involved students downloading inappropriate material to lab computers and a number of resulting Trojan infections. To help eliminate future incidents of this nature an isolated environment for the students is in order. A project was proposed to implement a Virtual IT Lab environment for students pursuing programs in Information Technology (IT). This group of students, with their tech-savvy backgrounds, was identified as the major culprits who take actions leading to the identified types of incidents.
Chapter 1: Project Description
This paper documents the project to design, plan, and implement a virtual lab to be used by students learning fundamental concepts of IT administrative and troubleshooting procedures. This lab will provide the facilities for hands-on learning while isolating the learning systems from the production network of the college. As implied by this brief description of the project, the project applies to an educational institution.
Purpose and Organizational Need
The successful implementation of the virtual lab environment will benefit students by providing the opportunity for real hands-on learning. Currently, the students practice tasks using software simulators; which do not provide the same experience as working on live systems. One of the problems with the current environment is that the IT students share computers with students enrolled in other disciplines, such as Medical Arts. Many of the IT students are fresh out of high school and their maturity levels are at times lacking. Some of these students see the computers that are made available to them as their personal toys and at times leave questionable content behind as remnants of their activities. The virtual lab will provide equipment in a secure environment and help teach students about security policies along with the technical aspects of IT.
Another problem that the project addresses is that of reducing costs. Currently the simulators are provided to the students and the associated costs are absorbed as part of the student’s tuition. The virtual IT lab environment would lower the necessity for the simulators and help reduce that cost.
Project Scope
The scope of the project will encompass the planning, design work, and steps necessary to implement the lab in a functional state. The lab will continue to evolve so not all functionality will be implemented as a result of this project but will continue with future projects. This project is not intended to solve all the security issues of the college.
Strategic Information Technology Planning Goals
The strategic planning goals for the project are to provide an isolated learning environment for the students, to reduce risk to the college, and lower operating costs. Students have no facilities for hands-on training at the present time and this environment conflicts with the published description of the program that the students are pursuing. This conflict could result in serious consequences to the college in the event of an accreditation audit.The most serious consequence would be the loss of accreditation and the loss of financial aid funding. The college is accredited through the Accrediting Commission of Career Schools and Colleges (ACCSC).
ACCSC assesses the effectiveness of an institution’s educational programs by evaluating the infrastructure that supports the delivery of programs as well as educational outcomes, including student achievement. Outcomes demonstrate the effectiveness of educational programs including favorable completion and job placement rates, state licensing examinations and success with employer and student satisfaction. (Accrediting Commission of Career Schools and Colleges, 2010)
Significance and Benefit to Dayton College
The significance and benefit from this project arise from first reducing the risk to the college in the following three areas:
- Loss of accreditation resulting from a conflict with the college’s program description and the actual learning environment
- Loss of financial aid funding for students following a loss of accreditation
- Legal liability resulting from inappropriate content delivered via the Internet
Following the reduction in risk, the college will also benefit from a reduction in the program costs associated with delivering training. Finally, the college will benefit from a versatile lab environment in which students can investigate operational issues associated with various technology platforms including Microsoft Windows and Linux. Alternative uses of technology may also be explored.
Project Assumptions
The assumptions made for this project are that the college will decide to continue the project through to completion following a comprehensive risk analysis and cost benefit analysis. Following approval, the assumption is made that the college will abide by the commitment to supply the needed resources and that other priorities will not override the need for the lab. Space is at a premium as more and more students enroll and more areas are converted into lecture rooms. The assumption is made that the benefit of the lab will override arising needs that may seek to occupy the space.
References
Accrediting Commission of Career Schools and Colleges. (2010). The Accreditation Process.Available from http://www.accsc.org
Broadstairs, K. (2000). 01-2-2 Quantifying Risk. In K. Broadstairs, R. King, & D. O'Conor (Eds.), Risk Management (p. 39). GBR: Scitech Educational.
Dragoon, A. (2003). Governance: Deciding factors. CIO. Retrieved February 18, 2010 from http://www.cio.com/article/29619/Governance_Deciding_Factors?page=1
Eckert, J. W., & Schitka, M. J. (2006). The hacker culture. Linux+ Guide to Linux Certification (2nd Ed.) (pp. 17-18). Boston, MA: Course Technology
GAO. (1998). Executive guide: Information security management--learning from leading organizations: AIMD-98-68. GAO Reports, 1., Government Accounting Office
Georgia Institute of Technoloogy. (2008). Emerging cyber threats for 2009. CU360 , 34 (21), 4-5.
ISO 17799 Portol. (2007). What is ISO 17799? Available from http://17799.denialinfo.com/index.htm
Moteff, J. (2004). Computer Security: A Summary of Selected Federal Laws, ExecutiveOrders,and Presidential Directives. Library of Congress, Congressional Research Service
Panel on Confidentiality Issues Arising from the Integration of Remotely Sensed and SelfIdentifying, & National Research Council. (2007). Putting people on the map: Protecting Confidentiality with linked social-spatial data. Washington, DC: National Academies Press.
Rainer, R., Snyder, C., & Carr, H. (1991). Risk Analysis for information technology. Journal of Management Information Systems , 8 (1), 134-135.
Schiller, C. (2007). Botnets. Network and Systems Professionals Association. Available from http://www.naspa.com/
Schniederjans, ,. M. (2004). Information Technology: Decision-Making Methodology (p. 140).Singapore: World Scientific Publishing Company.
Spammer-X. (2004). Inside the SPAM Cartel: Trade Secrets from the Dark Side. Rockland, MA: Syngress Publishing
Treviano, L. K., & Weaver, G. R. (2003). Managing Ethics in Organizations : A Social ScientificPerspective on Business Ethics. Palo Alto, CA: Stanford University Press.
U.S. Senate. (2009). Safe Internet act: S 1047 IS. Library of Congress.
