Infosec Scenario

Background:

LHS has just recently acquired RHS and is integrating the infrastructure from RHS.   RHS was previously a software consulting company and their mission was to aid clients in reaching compliance with the Capability Maturity Model (CMM).   RHS has the following information services in place at their current location:

Service/System/Application | Purpose |
E-mail services | administration and operational messaging, also used extensively for customer contact |
Public web server | public relations site |
Intranet web server | for human resources, on-line training courses, ,billboard for company policies, etc. |
Customer Relationship Management (CRM) system | tracks customer information, account status, etc. |
Network services | file and print servers, DNS, DHCP, etc. |
Internet connection | web browsing and general connectivity |
Sales database | sensitive system that stores and processes sales data, projections, etc. |
Human Resources database | used for tracking all essential information about people in the company; salary and benefits, address, home phone, next of kin, etc. |
Finance system | tracks the accounts payable/receivable and budget of the organization |

During acquisition negotiations, you received a report from RHS that detailed their findings of a recent Information Security Audit.   The audit was conducted by an independent contractor, and the following observations were made:

Global Observations
  * Backups not encrypted; backups stored in a secure vault in a separate facility
  * Some files owned by obsolete user accounts
  * Sensitive files found on user systems
  * Inventory of systems on the network is incomplete
  * Evidence that sensitive e-mail has been sent unencrypted
  * Inconsistent host configuration (especially laptops)
  * Not all systems patched to same level
  * Network Map displayed in unsecured areas
  * No reporting policy (or records) for host system security problems or issues
  * No...