Scoliosis Research Paper

Karmin Extra Source Paper Scoliosis is a complex deformity or curvature of the spine and entire torso and has been recognized clinically for centuries (Asher, Marc A. ). â€Å"For a few of the patients an underlying cause can be determined, including congenital changes, secondary changes related to neuropathic or myopathic conditions, or later in life from degenerative spondylosis. However, the cause of most scoliosis is not known and since about 1922 such patients have been diagnosed as having idiopathic scoliosis (Asher, Marc A. ). Based on the observation of three distinct periods of climax, scoliosis has been sub-divided into three groups; infantile, before the age of 3; juvenile, age 5 to 8; and adolescent, age 10 until the end of growth. This categorization is now extensively used. â€Å"Eighty percent or more of idiopathic scoliosis is of the adolescent variety. As it is often not possible to determine the age of onset, age at presentation/detection is more accurate (Canaves e, Federico). † â€Å"The prevalence is very dependent on curve size cut-off point, decreasing from 4. 5% for curves of 6 degrees or more to only 0. 9% for curves of 21 ° or more. It is also very dependent on sex, being equal for curves of 6–10 ° but 5. 4 girls to 1 boy for curves of 21 ° or more (Asher, Marc A. ). † Adolescent idiopathic scoliosis can probably best be considered as a complex genetic trait disorder. There is often a positive family history but the pattern of inherited susceptibility is not clear. Current information suggests that there is genetic heterogeneity. This indicates that multiple potential factors are acting either dependently or independently in its pathogenesis (Asher, Marc A. ).Up to moderate deformities, recognized at a 40 degree curvature, bracing is the most common treatment. Brace treatment has been mainly simulated by directly applying external forces on the rib cage and on the lumbar spine. However, its ef? ciency in prev enting the progression of scoliotic deformities is still controversial and the biomechanics of brace treatment is still poorly understood. For instance, there is still no concurrence about the favorable design of a brace. The shape of the brace, the location of pads attached to the brace, and openings vary amongst orthotists (Clin, Julien).Nevertheless, brace treatment is favorable in comparison to no treatment at all. For example, the Scoliosis Research Society conducted a study in 1985 to scrutinize the correctness of the bracing treatment. â€Å"Patients of the same age, same curve pattern and severity were divided into two groups: one treated with bracing; and the other, untreated. Results published in 1993 demonstrated that brace treatment is effective compared to natural history (Canavese, Federico). † Studies conducted on the number of hours per day of brace-wearing show that the more hours per day the brace is worn, the better the result.The brace is usually prescribe d for fulltime wear with some time set aside for bathing, swimming, physical education and sport. The patient should be encouraged to be pursue sporting activities while continuing to wear the brace if possible. Contact sports are not allowed with the brace to protect other participants, as the brace can significantly injure another if contacted the right way. These activities generally represent an average of two to four hours a day to ensure that the brace is worn 21 to 23 hours daily (â€Å"Minimally Invasive†).Other treatments of scoliosis include surgical treatment to straighten the curve of the spine (Asher, Marc A. ). â€Å"Surgical treatment was initiated in 1914. When the results were evaluated in 1941 they were found to be poor. As a result of the untiring work of John Moe, Paul Harrington, and many others these results had considerably improved by 1962. Due to advances in surgery the number of scoliosis curves greater than 100 ° had dropped considerably by 1973. The indications for surgery as an adult are pain, appearance, and pulmonary problems, i. . shortness of breath. However, it is unusual for these symptoms to be severe enough to warrant surgery. In addition only those with surgery had pain management problems (Asher, Marc A. ). † Although there are some risks associated with surgery they have decreased substantially. Death is very unlikely but can occur, especially in patients operated as adults (Horn, Pamela). â€Å"Knowledge of the natural history of adolescent idiopathic scoliosis has expanded greatly in the last two decades.It has become clear that only about one in ten curves progresses to the point that treatment with bracing is warranted, and only one in 25, or 0. 1%, to the point that surgery is warranted. Bracing appears to prevent about 20% to 40% of appropriately braced curves from progressing 6 ° or more. Surgery, consisting of instrumentation and arthrodesis has virtually eliminated large thoracic curves. Altho ugh most patients are satisfied with their results, follow-up at 20+ years shows significant, clinically relevant decrease in function and increase in pain compared to controls.Re-operation is required in 6 to 29%. And, a very few have pain management problems (Asher, Marc A. ). † Works Cited Asher, Marc A. , and Douglas C. Burton. â€Å"Scoliosis. †Ã‚  Adolescent Idiopathic Scoliosis: Natural History and Long Term Treatment Effects  1 (2006): 1-10. Web. 23 Sept. 2012. Clin, Julien, Carl-Eric Aubin, Stefan Parent, and Hubert Labelle. â€Å"Biomechanical Modeling of Brace Treatment of Scoliosis. †Ã‚  Effects of Gravitational Loads  (2011): 743-53. International Federation for Medical and Biological Engineering 2011, 02 Feb. 2011. Web. 3 Sept. 2012. Canavese, Federico, and Andre Kaelin. â€Å"Adolescent Idiopathic Scoliosis: Indications and Efficacy of Nonoperative Treatment. † Indian Journal of Orthopaedics 45. 1 (2011): Academic Search Complete. Web. 2 3 Sept. 2012. â€Å"Minimally Invasive Scoliosis Surgery: An Innovative Technique In Patients With Adolescent Idiopathic Scoliosis. † Scoliosis (17487161) 6. 1 (2011): 16-25. Academic Search Complete. Web. 23 Sept. 2012. Horn, Pamela. â€Å"Scoliosis. † Clinician Reviews 22. 8 (2012): 16-22. Academic Search Complete. Web. 23 Sept. 2012.

Fractures of the Distal Tibia: Minimally Invasive Plate Osteosynthesis

Injury, Int. J. Care Injured (2004) 35, 615—620 Fractures of the distal tibia: minimally invasive plate osteosynthesis D. J. Redfern*, S. U. Syed, S. J. M. Davies Department of Orthopaedics, Frimley Park Hospital NHS Trust, Surrey, UK Accepted 9 September 2003 KEYWORDS Minimally invasive plate osteosynthesis; Plate ? xation; Fracture; Tibia; Metaphysis Summary Unstable fractures of the distal tibia that are not suitable for intramedullary nailing are commonly treated by open reduction and internal ? ation and/or external ? xation, or treated non-operatively. Treatment of these injuries using minimally invasive plate osteosynthesis (MIPO) techniques may minimise soft tissue injury and damage to the vascular integrity of the fracture fragments. We report the results of 20 patients treated by MIPO for closed fractures of the distal tibia. Their mean age was 38. 3 years (range: 17—71 years). Fractures were classi? ed according to the AO system, and intra-articular extension s according to Ruedi and ? Allgower. The mean time to full weight-bearing was 12 weeks (range: 8—20 weeks) and to union was 23 weeks (range: 18—29 weeks), without need for further surgery. There was one malunion, no deep infections and no failures of ? xation. MIPO is an effective treatment for closed, unstable fractures of the distal tibia, avoiding the complications associated with more traditional methods of internal ? xation and/or external ? xation. ? 2003 Elsevier Ltd. All rights reserved. Introduction Unstable fractures of the distal tibia with or without intra-articular fracture extension can present a management dilemma. Traditionally, there have been a variety of methods of management described and high rates of associated complications reported. Non-operative treatment can be technically demanding and may be associated with joint stiffness in up to 40% of cases as well as shortening and rotational malunion in over 30% of cases. 14,20 Traditional operative treatment of such injuries is also *Corresponding author. Present address: 16 By? eld Road, Isleworth, Middlesex TW7 7AF, UK. Tel. : ? 44-(0)20-8847-1370; fax: ? 44-(0)20-8847-1370. E-mail address: david. j. [email  protected] com (D. J. Redfern). associated with a high incidence of complications. Intramedullary nailing remains the gold standard for treatment of most diaphyseal fractures of the tibia. However, although some authors have described good results with intramedullary nailing in the treatment of distal peri-articular tibial fractures, it is generally considered unsuitable for such injuries, due to technical dif? culty and design limitations. 17,20 Traditional open reduction and internal ? ation of such injuries results in extensive soft tissue dissection and periosteal injury and may be associated with high rates of infection, delayed union, and non-union. 5,11,13,18,19,22 Similarly, external ? xation of distal tibial fractures may also be associated with a high incidence of complications, with pin infection and loosening in up to 50% of cases and malunion rates of up to 45%. 20 Minimally invasive plate osteosynthesis (MIPO) may offer biological 002 0–1383/$ — see front matter ? 2003 Elsevier Ltd. All rights reserved. oi:10. 1016/j. injury. 2003. 09. 005 616 D. J. Redfern et al. advantages. MIPO involves minimal soft tissue dissection with preservation of the vascular integrity of the fracture as well as preserving osteogenic fracture haematoma. 3 MIPO techniques have been used successfully in the treatment of distal femoral fractures. 9,10,23 Experience of the application of these techniques to fractures of the distal tibia is less extensive and opinion regarding optimal technique differs. Some authors advocate temporary external ? xation prior to de? itive MIPO and routine ? xation of associated ? bula fractures. 7 Others advocate a more selective approach to the role of external ? xation and ? bular ? xation. 2 Purpose We report our experience with minimally invasive plate osteosynthesis in the treatment of closed, unstable fractures of the distal tibia that are unsuitable for intramedullary nailing. Patients a nd methods We undertook a review of patients treated by MIPO for unstable fractures of the distal tibia in our hospital, between 1998 and 2001. Twenty-two patients were identi? d, of whom 20 had followTable 1 Patient Detailed patient data Age (years) 71 46 20 32 27 26 34 23 26 26 50 59 27 39 54 67 25 24 67 46 Mechanism of injury Fall Fall Football Motorcycle RTA Twisted Motorcycle RTA Rugby injury Rugby injury Football injury Motorcycle RTA Fall Fall Fall Fall Fell from wheelchair Fall Motorcycle RTA Motorcycle RTA Fall Fall Fracture classi? cation AO/R&A 42-A2 42-B1 42-A2 42-A2 42-B1 42-C1 42-B1/grade 42-A1/grade 42-B1 42-B2 42-A1 43-A3/grade 42-A1 42-A1 42-B1 42-A1 43-B1 42-A1 43-B1/grade 43-B1/grade up available. Their mean age was 38. 3 years (range: 17—71 years). There were 18 males and 4 females. The mechanism of injury was: fall (12); motorcycle accident (6); rugby/football injury (4) (see Table 1). Fractures were classi? ed according to the AO system12 and distal intra-articular fracture extension classi? ed according to Ruedi and Allgower18 ? ? (Table 1). All 20 fractures involved the distal onethird of the tibia and in 5 cases the fracture clearly extended distally in to the ankle joint (Ruedi and ? Allgower grade I in 3 cases and grade II in 2 cases). It ? is important to note that although 16/20 of the fractures were classi? d according to the AO system as 42 (diaphyseal), this is somewhat misleading as the ‘essence’ of these fractures was metaphyseal. Within the strict AO system12 de? nition of a metaphyseal fracture of the distal tibia (43), the centre of the fracture must lie within a square of sides equal to the widest metaphyseal distance, and the centre of many of our fractures lay just outside of the ‘metaphys eal square’ (Fig. 1a). The fracture pattern was however predominantly long oblique or long spiral and as such extended well into the distal metaphysis ? extension into the joint (Fig. 1). Indications for use of MIPO technique These included distal diaphyseal, or metaphyseal fractures of the tibia that were considered unsuitable Time to callus (weeks) 8 7 8 8 8 8 10 10 8 8 11 8 12 12 8 8 10 8 10 10 Time to FWB (weeks) 12 13 12 14 8 20 12 12 10 17 9 14 13 12 N/A 12 10 13 10 12 Time to union (weeks) 26 24 20 22 20 20 24 18 28 29 24 26 24 20 24 20 20 22 24 20 Complications 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 I I II I II — Metalwork discomfort — — — — Super? cial infection Metalwork discomfort Metalwork discomfort — — Malunion CRPS (type 1) — — — — — — — R&A: Ruedi and Allgower. ? Fractures of distal tibia 617 Figure 1 (a) AP and lateral radiographs of the distal tibia for case 8 (42-A1, R&A grade 1). (b) AP radiograph (case 8) at 10 weeks post-operatively showing callus formation (A); AP radiograph (case 8) at 18 weeks showing radiological union (B). for intram edullary nailing due to the distal nature of the fracture and/or intra-articular or peri-articular fracture extensions. gical evidence of callus. All patients were followedup for a minimum of 12 months. Operative technique Management protocol Initially, patients were managed in a plaster splint with elevation until de? itive ? xation could be undertaken. Surgery was undertaken on the next available theatre list and only delayed if soft tissue swelling or anaesthetic concerns dictated that this was necessary. Intravenous antibiotics were given at induction of anaesthesia and two doses following surgery. Post-operatively, patients were not routinely splinted unless deemed unlikely to comply with a partial weight-bearing regime. The majority of patients were encouraged to partial weight-bear on the limb (10—15 kg) from the ? rst post-operative day. Early active and passive knee and ankle motion was encouraged. In the majority of cases, patients were discharged from hospital 24 h following surgery. Clinical and radiological review took place at 6—8 weeks to assess for evidence of callus formation. Patients were allowed to proceed to full weight-bearing on the basis of clinical and radiological evaluation but not before there was radioloSurgery was performed with the patient supine on a radiolucent table. Routine preparation and draping of the injured limb was performed. Both indirect and direct techniques of fracture reduction were used depending upon the nature and pattern of the fracture. Reduction techniques employed included the use of manual traction, the AO femoral distracter, the AO articulated fracture distractor, and direct reduction with fracture reduction forceps across the fracture (via two stab incisions). A 2 cm incision was made proximal and distal to the fracture on the medial border of the tibia. An extraperiosteal, subcutaneous tunnel could then be fashioned between these two incisions using blunt dissection. A pre-measured and pre-contoured narrow 4. 5 mm DCP was then positioned in this extra-periosteal subcutaneous tunnel (Fig. 2). Accurate plate contouring and positioning was con? med by ? uoroscopy. The length of plate selected is important and should be as long as is reasonably possible given the particular fracture pattern. As the length of plate is 618 D. J. Redfern et al. Figure 2 Pre-contoured plate insertion with fracture reduction maintained by direct technique. increased, the strength of the ? xation construct is also increased. 21 A cortic al screw (4. 5 mm) was then inserted through a screw hole at one end of the plate via the incisions already made for plate insertion. At this stage, axial fracture alignment was con? rmed before inserting any further screws. Subsequent screws were inserted close to either side of the fracture via stab incisions. Further screws may be used depending upon the characteristics of the fracture. If possible, a lag screw was also inserted across the fracture (via the plate) in order to further reduce the fracture gap and add to the rigidity of the ? xation. However, because the technique employs a bridge plating principle, interfragmentary lag screws were not felt to be obligatory. It is not necessary to place screws through all of the remaining holes in the plate as this does not further increase the strength or rigidity of the ? ation construct4,21 but does require further skin incisions, providing more potential portals of entry for infection (Fig. 1b). The ? bula was not ? xed unless necessary for accurate reconstruction of length such as encountered with some severely comminuted fractures. With fractures extending into the ankle joint, careful attention was paid to restoration of the articular surface cont inuity and 3. 5 mm cortical screws inserted through stab incisions or formal open exposure as required. In only one case was it deemed necessary to ? x the ? ula in order to accurately reconstruct length before proceeding to minimally invasive plating of the tibia. The mean hospital stay was 6 days (range: 2—31 days). The mean time to radiological evidence of callus formation was 9 weeks (range: 7—12 weeks). Sixty percent of patients achieved radiological callus by 8 weeks and all by 3 months (Table 1 and Fig. 2). The mean time to full weight-bearing was 12 weeks (range: 8—20 weeks) and the mean time to union was 23 weeks (range: 18—29 weeks). There were no non-unions and one malunion in whom there was >58 of varus angulation. There were no cases of failure of ? xation. Three soldiers have subsequently had their metalwork removed due to discomfort during training, and have reported no further symptoms. One patient required exchange of a distal screw that was too long and was impinging upon the distal tibia—? bula joint. A further patient developed type I complex regional pain syndrome (CRPS). He required guanethidine blocks to control his pain. There were no deep infections (one super? cial infection which resolved on oral antibiotics). Sixteen of the 20 patients were employed at the time of their injury. Six patients were soldiers. All patients in this study have subsequently returned to their pre-injury occupations/level of activity. Discussion Results Of the 20 patients presented, 12 were operated upon within 24 h of the injury, and 16 within 72 h of the injury. Surgery was delayed in the remaining four patients due to: transfer from another hospital (1); swelling at the site of injury (1); medical problems (1); and for further imaging (1). The surgery was performed by, or supervised by, one of six consultant orthopaedic surgeons in the department. Favourable results have been described using minimally invasive plate osteosynthesis techniques for ? xation of distal femoral fractures. 9,10,23 Cadaveric and animal studies have emphasised the importance of minimising the degree of soft tissue damage in the region of long bone fractures. 3,16,24 Recently, Borrelli et al. 1 have demonstrated that the distal metaphyseal region of the tibia has a relatively rich extraosseous blood supply, provided primarily by Fractures of distal tibia 619 branches of the anterior tibial and posterior tibial arteries. They also demonstrated that open plating in this region produces signi? cantly greater disruption of this extraosseous blood supply than minimally invasive plate application. Helfet et al. 7 described their experience with MIPO in 20 closed pilon fractures and advocated routine use of external ? xation acutely, followed by de? nitive ? xation 5—7 days later once the swelling has subsided. They also advocated the routine ? xation of associated ? bula fractures. They splinted the limb post-operatively but allowed toe-touch weight-bearing (20 lb) from the ? rst post-operative day. Their patients achieved full weight-bearing at an average of 10. 7 weeks (range: 8—16 weeks). Malunion occurred in 20% of cases although all patients had a good functional outcome and none required any further surgery. Collinge et al. 2 have reported their experience using MIPO in 17 tibial shaft fractures. Twelve cases had open injuries and ? ve of these required bone grafting at a later stage such that they suggested that this should be considered at an early stage in such injuries. The ? ve patients with closed injuries had complete union after the index procedure with no cases of malunion or infection. These closed injuries all achieved a good functional outcome. They routinely splinted the limb post-operatively with weightbearing commenced at approximately 12 weeks. In this series, we con? rm that good results can be obtained with this technique in the treatment of closed tibial fractures with intra-articular or periarticular fracture extensions, which are not suitable for intramedullary nailing. However, intramedullary nailing still remains the treatment of choice for most uncomplicated diaphyseal fractures of the tibia. We would not advocate the routine use of external ? ation in the acute management of such injuries, except in some open injuries with extensive soft tissue damage. Early de? nitive surgery negates the need for any form of temporary ? xation other than a POP back-slab for closed fractures. This avoids the added risk of complications arising from the use of such devices. It is our experience that ? xation of the ? bula is not necessary except to aid in reconstructi on of length when there is extensive comminution of the tibial fracture. In the current series (and those of Collinge et al. 2 and Koury et al. ), a 4. 5 mm DCP has been used with satisfactory results. However, this is a relatively bulky implant and lower pro? le plate designs might be expected to result in a lower incidence of postoperative metalwork discomfort along this subcutaneous medial aspect of the tibia, especially in the region of the medial malleolus. This in turn may reduce the need for subsequent implant removal. Other recent developments in plate design include pre-contoured and locking plates (e. g. LCP system, Synthes), which may offer signi? cant advantages. The ‘internal ? ator’ design of locking plates has the advantage that screw insertion does not draw the bony fragments to the plate (as occurs with traditional non-locking plates) and hence, the precise contouring of the plate is less important in achieving accurate fracture reduction. 6,15 For the same reason, the footprint of the locking plates should also be signi? cantly smaller than traditional non-locking plates, hence preserving periosteal blood supply to the fracture. 6 In the majority of cases, we have found it possible to safely mobilise patients, partial weightbearing (10—15 kg), from the ? st post-operative day without external splintage of the limb. This also allows early mobilisation of the knee, ankle and subtalar joints. Conclusion Whilst intramedullary nailing still remains the treatment of choice for most uncomplicated diaphyseal fractures of the tibia, minimally invasive plate osteosynthesis offers a reliable and reproducible technique in the treatment of closed unstable fractures of the distal tibia with intra-articular or periarticular fracture extensions. This technique may avoid the signi? ant complications encountered with more commonly used techniques of internal ? xation and external ? xation in such injuries. References 1. Borrelli J, Prickett W, Song E, Becker D, Ricci W. Extraosseous blood supply of the tibia and the effects of different plating techniques: a human cadaveric study. J Orthop Trauma 2002;16:691—5. 2. Collinge C, Sanders R, DiPasquale T. Treatment of complex tibial periarticular fractures using percutaneous techniques. Clin Orthop 2000;375:69—77. 3. Farouk O, Krettek C, Miclau T, Schandelmaier P, Guy P, Tscherne H. Minimally invasive plate osteosynthesis and vascularity: preliminary results of a cadaver injection study. Injury 1997;28:S-A7—S-A12. 4. Field RJ, Tornkvist H, Hearn TC, et al. The in? uence of ? screw omission on construct stiffness and bone surface strain in the application of bone plates to cadaveric bone. Injury 1999;30:591—8. 5. Fisher WD, Hambledon DL. Problems and pitfalls of compression ? xation of long bone fractures: a review of results and complications. Injury 1978;10:99—107. 6. Frigg R. Locking compression plate (LCP). An osteosynthesis plate based on the dynamic compression plate and point contact ? xator (PC-Fix). Injury 2001;32:S-B63—6. 7. Helfet DL, Shonnard PY, Levine D, Borrelli J. Minimally invasive plate osteosynthesis of distal fractures of the tibia. Injury 1997;28:S-A42—8. 620 D. J. Redfern et al. 8. Koury A, Liebergall M, London E, Mosheiff R. Percutaneus plating of distal tibial fractures. Foot Ankle Int 2002;23: 818—24. 9. Krettek C, Schandelmaier P, Miclau T, Tscherne H. Minimally invasive percutaneous plate osteosynthesis (MIPPO) using the DCS in proximal and distal femoral fractures. Injury 1997;28:S-A20—30. 10. Krettek C, Schandelmaier P, Miclau T, Bertram R, Holmes W, Tscherne H. Transarticular joint reconstruction and indirect plate osteosynthesis for complex distal supracondylar femoral fractures. Injury 1997;28:S-A31—41. 11. McFerran MA, Smith SW, Boulas HJ, Schwartz HS. Complications encountered in the treatment of pilon fractures. J Orthop Trauma 1992;6:273—85. 12. Muller ME, Nazarian S, Koch P, Schatzker J. The comprehensive classi? cation of fractures of long bones. Berlin: Springer-Verlag; 1990. 13. Olerud S, Karlstrom G. Tibial fractures treated by AO compression osteosynthesis. Acta Orthop Scand Suppl 1972; 1:1—104. 14. Oni OO, Stafford H, Gergg PJ. A study of diaphyseal fracture repair using tissue isolation techniques. Injury 1992;23: 467—70. 15. Perren SM. Editorial. Injury 2002;33:S-A-VI—S-A-VII. 16. Rhinelander F. The normal microcirculation of diaphyseal cortex and its response to fracture. J Bone Joint Surg Am 1968;50A:784—800. 17. Robinson CM, McLaughlan GJ, Mclean IP, Court-Brown CM. Distal metaphyseal fractures of the tibia with minimal involvement of the ankle. Classi? ation and treatment by locked intramedullary nailing. J Bone Joint Surg Br 1995;77B:781—7. 18. Ruedi T, Allgower M. Fractures of the lower end of the tibia ? ? into the ankle joint. Injury 1969;1:92. 19. Ruedi T, Allgower M. The operative treatment of intra? ? articular fractures of the lower end of the tibia. Clin Orthop 1979;138:105—10. 20. Russell TA. Fractures of the tibia and ? bula. In: Rockwood CA, Green DP, Buckolz RW, Heckman JD, editors. Fractures in adults. 4th ed. Philadelphia: Lippincott; 1996. p. 2139— 57. 21. Sanders R, Haidukewych GJ, Milne T, et al. Minimal versus maximal plate ? xation techniques of the ulna: the biomechanical effect of number of screws and plate length. J Orthop Trauma 2002;16:166—71. 22. Tornetta III P, Weiner L, Bergman M, et al. Pilon fractures: treatment with combined internal and external ? xation. J Orthop Trauma 1993;7:489—96. 23. Wenda K, Runkel M, Degreif J, Rudig L. Minimally invasive plate ? xation in femoral shaft fractures. Injury 1997;28:SA13—9. 24. Whiteside L, Lesker PA. The effects of periosteal and subperiosteal dissection. J Bone Joint Surg Am 1978;60A: 26—30.

Customer service Essay Example | Topics and Well Written Essays - 2000 words

Customer service - Essay Example It has become a need for most and strives to satisfy their taste buds and continues to grow (Cantalupo, 2004). Each country has its own Country Manager and General Manager that look after the proceedings of the network existing in that country. Furthermore management is diversified in each city and each outlet to make the responsibilities defined yet all the outlets are connected in a chain and part of a supply chain that ensures safe and healthy food for the valued customers. Its various departments work efficiently and coherently with each other to achieve good quality and excellent service. Time management is the major factor in running such a vast chain of quick service restaurants. For this the supply chain management module is the key to everything. Suppliers need to be trusted and responsible identities as the supply of raw material should be smooth and timely. They have to keep backup of stock so that there is no possibility of shortage or unavailability of order (Lessnau, 20 04). For this they need to keep a constant track of each and every supply of raw materials and require coordination among all departments. During our interview at McDonalds I was told that they forecast three months while managing their supply chain. For instance, now in the month of April, they were forecasting the supply until July and keeping all factors in mind to ensure that there is no shortage or other issues. This requires a coherent hierarchy of authorities and coordination among departments thus giving rise to proper and smooth vertical as well as horizontal communication (Phillips, 2004). The service process at McDonalds is based on Physical or service product bundle theory. They are a restaurant that has its USP not just in the product they are providing but also the service that accompanies with it. Another major aspect of the design process of McDonalds is their face to face interaction with their customers. All of their sales take place after interaction with a McDona lds rep and this is why they play such an integral role in the whole design process. Whether it is the restaurant counter, drive through or hotline for delivery, customers make their purchase through the representative (Chase, Jacobs & Aquilano, 2004). With so many channels of sale in place, it is imperative to have a service process that is flawless. With millions of customers rolling in everyday all around the world and tones of food being sold, any glitch in the design process could prove fatal. In this report, we will be studying the current service process system in place at McDonalds and proposing a new and improved one for them. The service design blueprint The process in place in McDonalds is structured on exquisite supply chain management module that makes it the success it is today. Following is a blueprint of the ordering process when a customer places an order at McDonalds. The above blue print explains how the restaurant backroom functions when a customer places an orde r. This shows the movements of the ingredients from the time the order is placed till the time the order is finally delivered to the customer. However, one thing missing in this is the process where the raw material or the supply chain is being handled. Following is a separate module that McDonalds have in place for that: As displayed in the process

Country paper Essay Example | Topics and Well Written Essays - 1250 words - 1

Country paper - Essay Example The country is endowed with a number of minerals such as emerald, iron, copper, bauxite and gold. The temperatures along the coastline, for the most part of the year are usually high. The interior is usually warm even during the cool seasons that come in between April and September. The country has an estimated population of aboput24, 692,144 of which the Maku Lomwe of the north accounts for more than half. The country has over 9 ethnic groups. The larger demographic of the population is between the ages of 25 to 54 with females accounting 3,553,256 for while males account for 3,113,095. The major religions are Roman Catholics (28.4%) and Muslims (17.9%). Two political organizations; Frelimo and Renamo dominate the country, though allowing of multi–party democracy. As of 2013, the Gross Domestic Product stood at 15.63 Billion dollars with 25.83 Million people living under or dangerously close to the poverty line. The per capita income, in the same period stood at $605.5. As of 2013, statistics illustrated that domestic tourism accounted for 7.2% of Mozambique’s economic growth. The country’s population is not as indulgent in tourism because they are focused more on development through agriculture. In the same period, international tourism only brought in 6.11% of the economic development. This could be attributed to low levels of tourism promotion. The infrastructural development is substantially low and is rated amongst the worst in the world. In light of this, there country’s government has taken measures to try to improve this. Notably, the development of infrastructure is directly linked to the success of tourism. $17 Billion has been invested in pipeline development as a bid to improve economic growth. Mozambique has 7700 hotel beds that register only 40% occupancy rate. The country is challenged with access to land for hotel development in terms of speed and availability for access.

Ethics in communication Essay Example | Topics and Well Written Essays - 1250 words

Ethics in communication - Essay Example The word ethics are described as fundamental will to do and or once self properly in the society. Ethics is a Greek word that means to appeal. It shows concern for honorable people with dependable personality and appropriate behavior. It plays a major role in deciding what is good and what is bad (Ward). In journalism, many ethical issues need to be followed when reporting or publishing any information. This is because any information disseminated by journalists is taken with the seriousness and weight they come with. The ramifications of this information can be dire. Journalists are guided on how to carry out themselves by a code of ethics. One of the most important ethical issues is a journalist shall desist from any information or action that may harm the reputation of the journalist or to his organization. Journalists deal a lot with information and there is need to verify information before airing or publishing it. In addition, they are supposed to carry out themselves with good conduct and in a manner to portray their professionalism. A journalist should not accept bribes or gifts to give any favors. In addition, he should not threaten anyone with the publication of damaging materials. Journalists have access to a lot of information and at times, they are bribed or they are tempted to threaten individuals with this information. Doing this will be going against code of ethics. It will undermine the quality of publications and the vows that a journalist is sworn under (journalism ethics). Ethical issues in advertising (sexism and children) Advertising is the driving force behind many businesses. They help consumers know what products are in the market. The objective of an advertisement is to wow the customer and convince the customer to buy the product. For many years, advertisements have been criticized for the way they portray the message. These critics have been because of the advertisements flaunting ethical issues. Advertising is also guided by ethics that allow fair play and creation of good advertisements (Singh, Vij). The two issues that this advertisement faults are sexism and children. Sexism is used in advertising as an attraction tool in many advertisements. This is because the female figure attracts attention (Kuluttaja). Sexism is used in advertising in many ways. One way of using sexism is showing a half naked body in an advertisement, also two people having intimate moments in an advertisemen

COMPARE THE PARTY LINE AND WOMEN TALK TOO MUCH Article

COMPARE THE PARTY LINE AND WOMEN TALK TOO MUCH - Article Example The article shows that many situations men talk more than women do where they instill dominance in issues of different scenarios. Men usually want to ensure their points are taken on point in interviews taken. This is reflected in the study done in New Zealand where it was established that men control more of the talking time. This article shows that men talk more compared to women in public like official meetings, seminars, or tasks activities. It shows that men are more concerned with their status compared to women (Holmes, 2006). The article highlights that women do talk more than men in other situations do especially where they use talk to develop personal relationships, where women can make connections rather than proving points to the public. Women talk more about family and when in the majority. It seems that women talk more depending on their context (Karpf, 2006) In the article, â€Å"The Party Line† by Rachael Rafelman (2006) it shows that women generally want to be heard where listening to them is an integral part of the girl talk due to reciprocal communication and women folk require this from each other. This article states that men are boring when both women and men are engaged in the same conversation, but women seem interesting than their male counterparts. Men enjoy talking about business and avoid personal stuff. Women in conversation look for ways to connect where women prefer disclosure of details when men do not disclose personal information easily (Rafelman, 2006). The article by Rafelman (2006) speaks about how women are traditionally designed to keep conversations going in traditional female social functions. Where women draw people out and enable people to talk about themselves. It highlights that women capabilities are undermined where they are not celebrated. Women’s speech intends to be soft in conversations, and this is due to their nature. In this article of â€Å"the Party

One page reflection on the learning outcomes Coursework

One page reflection on the learning outcomes - Coursework Example The fin geometry has significant impact on the performance of a car radiator. There are four major geometric flow configurations for radiators. The geometry of the fin determines the amount of heat lost from the car engine to the atmosphere and hence determines the performance of a car radiator. Car radiator normally uses crossflow two-stream geometry. The heat transfer performance of a radiator can be determined by calculating the number of Nusselts. The value of Nusselt number increases with increase in as the Reynolds number. The performance of the heat exchanger increases with increase in the number of Nusselts. As such, the number of Nusselts is directly proportional to the performance of the heat exchanger. This assignment is makes an invaluable contribution to the UniSA graduate qualities by equipping the graduates with essential knowledge for manufacturing radiators, particularly car radiators and developing innovative ideas to improve the radiator, which is one of the most crucial components of the car

Religious Perspectives Essay Example | Topics and Well Written Essays - 500 words

Religious Perspectives - Essay Example As such, each forbids evil and enjoins good. That is the crux of any similarity in their perspectives. They seem to disagree on the very reason for the sermon. Popular observance of some holidays in honor of individuals is the main point of ideological contention between the speakers. The announcer leans toward approval while implying Shaykh Mahmud was somehow opposed (Windows, 109). He embraces the legendary remembrance of individuals. He focuses on the fallibility of scholars especially how they could inadvertently thwart good in their nearsightedness (Windows, 110). Shaykh Mahmud's sermon was a pretty standard "Be fair to others and praise your Maker" sermon. He did not explicitly oppose anything of the sort (Windows, 110 - 116). His non-mention of Sidi 'Abd ar-Rahman 'Uthman ash-Shahawi could be interpreted as a rejection of the proceedings Each speaker establishes a distinct position on how they believe Islam should be performed. The announcer approaches the celebration in terms of the overt observance of a holiday born in modern legend and appeals mostly to logic. Shaykh Mahmud approaches it in terms of the esoteric message appeals mostly to Qur'an and Sunnah of the Prophet Muhammad (SWS). One may infer certain points about the different ways that some contemporary Muslims think about Muslim devotional practices.

The Rise of Civil Regulations as a Method for Advancing Global Essay

The Rise of Civil Regulations as a Method for Advancing Global Corporate Social Responsibility - Essay Example This paper serves to showcase how the increasingly in-demand adherence to civil rights can be used to advance the global corporate social responsibility. Civil regulation only tries to encourage corporations to exercise suitable practices that will ensure a threat-free environment. The government has always tried to intervene in the daily running of organizations in order to preserve the civil rights for workers in organizations. Non-governmental organizations also come in to offer help within the framework of the program. Non-Governmental Organizations (NGOs). Different NGOs use different tactics to try to persuade large multinational corporations (MCNs) into complying with their policies regarding civil rights. Some will try talking out an organization to agree on certain terms of operation e.g. employment criteria, while other NGOs will identify their weakness of an organization and exploit it (Dewey and Tufts 23). Recently, NGOs have increased their interest in business, implying that globalization is taking a major turn of events with large organizations from different parts coming together e.g. Amnesty International and Human Rights Watch were formed to fight civil rights violations like freedom of expression abuse, unfair sentences and other injustices. In the past few years, NGOs such as Amnesty International have made there intentions clear by stressing the relationship between human rights and globalization. These NGOs are advocating against child labor and the treatment of workers and cases involving women and girls trafficking, most recently, involving energy countries such as Nigeria, Burma, India and Sudan. Another reason for major NGOs’ increased involvement with multinational corporations (MNCs) is the need to get support from them and be associated with the MNCs managerial personnel. NGOs are always in the hunt for sponsorship, but this scenario changes with some organizations, as their main involvement with MNCs is based on business rea sons with civil rights coming in as a minor reason, which helps diversify the organizations in terms of their products and services. Prior to World War 2, Walter Rathenau, a German, said that the growth of business corporations had a significant effect on the society. According to Morton (44), the interest of an organization might be entirely financial; most of the activities carried out on a daily basis are serving the public interest. According to Dewey and Tufts (23), it is not sufficient to view companies as purely economic machines and companies should be involved in public duty too. Soft Law. Most of the civil rights do not appear in a country’s constitution as a law, but they are often being advocated for, thus, the government can not be liable to all these rights. Therefore, companies have to take the initiative of establishing and implementing the reflexive law. Some companies use environmental contracts to enhance corporate social responsibility (CSR). Laws are made and passed regarding certain practices by the corporations, bound by a given NGO which when broken, there are stipulated penalties to be faced. If a company is bound within a given contract, it can make more progress towards finding reliable solutions rather than depending on the normal laws of the government. In essence, CSR can help the government to meet the needs of the society e.g. the United Kingdom’

Free

Free software Essay The freedom to run the program, for any purpose (freedom 0). The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this. The freedom to redistribute copies so you can help your neighbor (freedom 2). The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this You are free to (1)study it, (2)redistribute it, and (3) modify it. 2. Why is Linux popular? Why is it popular in academia? Bell Labs offered it to educational institutions at nominal cost. The schools, in turn, used it in their computer science programs, ensuring that computer science students became familiar with it. Because UNIX was such an advanced development system, the students became acclimated to a sophisticated programming environment. As these students graduated and went into industry, they expected to work in a similarly advanced environment. As more of them worked their way up the ladder in the commercial world, the UNIX operating system found its way into industry The source code for the operating system is readily available so that students can understand more easily how GNU/Linux works and can modify the code further to understand its operation and change the way it works. 3. What are multiuser systems? Why are they successful? Sharing the computer’s power among many users and giving them the ability to share data and programs are central features of the system. a multiuser operating system allows many people to use all of the system resources almost simultaneously The use of costly resources can be maximized and the cost per user can be minimized—the primary objectives of a multiuser operating system. 4. What is the Free Software Foundation/GNU? What is Linux? Which parts of the Linux operating system did each provide? Who else has helped build and refine this operating system? The Free Software Foundation (www. fsf. org) is the principal organizational sponsor of the GNU Project. GNU developed many of the tools, including the C compiler, that are part of the GNU/Linux Operating System Linux is the name of an operating system kernel developed by Linus Torvalds and expanded and improved by thousands of people on the Internet. Torvalds’s kernel and GNU’s tools work together as the GNU/Linux Operating System 5. In which language is Linux written? What does the language have to do with the success of Linux? 95% is written in C. Because Linux is portable, it can be adapted (ported) to different machines and can meet special requirements. For example, Linux is used in embedded computers, such as the ones found in cellphones, PDAs, and the cable boxes on top of many 10 Chapter 1 Welcome to Linux and Mac OS X TVs. The file structure takes full advantage of large, fast hard disks. Equally important, Linux was originally designed as a multiuser operating system—it was not modified to serve several users as an afterthought. Sharing the computer’s power among many users and giving them the ability to share data and programs are central features of the system 6. What is a utility program? otften reffered to as commands These utilities perform functions that are universally required by users. The sort utility, for example, puts lists (or groups of lists) in alphabetical or numerical order and can be used to sort lists by part number, last name, city, ZIP code, telephone number, age, size, cost, and so forth. A utility (program), sometimes referred to as a command, is a program that performs a task that is frequently related to the operating system. A utility is simpler than an application program although there is no clear line separating the two 7. What is a shell? How does it work with the kernel? With the user? In a textual environment, the shell—the command interpreter—acts as an interface between you and the operating system. its the link between user and kernal to tell it what to do. or view what the kernal is doing. its the command line interface that accepts input from the user. 8. How can you use utility programs and a shell to create your own applications? Write a shell script, also called a shell program, or a batch file under DOS. A shell script is one or more command lines contained in a file. Make the file executable and give the name of the file as a command: The shell executes the commands in the file, as though you had typed each command individually 9. Why is the Linux filesystem referred to as hierarchical? The Linux filesystem provides a structure whereby files are arranged under directories, which are like folders or boxes. Each directory has a name and can hold other files and directories. Directories, in turn, are arranged under other directories, and so forth, in a treelike organization. This structure helps users keep track of large numbers of files by grouping related files in directories. Each user has one primary directory and as many subdirectories as required 10. What is the difference between a multiprocessor and a multiprocessing system? multi processor is a computer that has more than one processor (processing units) and multiprocessing system is the fact that it can process multiple tasks at the same time Multiprocessing is the use of more than one CPU in a computer system 11. Give an example of when you would want to use a multiprocessing system. Multiprocessing is the use of more than one CPU in a computer system so when you have more than one CPU you can take advantage of it. Multiprocessing sometimes refers to the execution of multiple concurrent software processes in a system as opposed to a single process at any one instant 12. Approximately how many people wrote Linux? Why is this project unique? The Linux kernel was developed by Finnish undergraduate student Linus Torvalds The Linux operating system, which was developed through the cooperation of many, many people around the world, is a product of the Internet and is a free 13. What are the key terms of the GNU General Public License? The GPL says you have the right to copy, modify, and redistribute the code covered by the agreement When you redistribute the code, however, you must also distribute the same license with the code, thereby making the code and the license inseparable.

Security Forensics and Risk Management

Security Forensics and Risk Management Acknowledgement Foremost I would like say thanks to god for all support in all my life and secondly University of Greenwich to give this my life aim to complete my masters. Next my supervisor Professor Kevin Parrott to the supports he gave because without his support I wouldnt be able to complete my project with this quality. Especially the suggestions and appreciation given my supervisor make me feel better and gave positive thinking. Finally need to thank my family and friends for unbelievable supports and encouragements. Abstract As we are in the information era the world is changing to use electronic means for day to day use. The paper documents is gone and most of them are paper free because of so many reasons such as pollution, easy, fast, etc At the same time this digital media has availability, scalability, confidentiality and integrity which are required behaviour for secure communication. The risk is increased with the increase of computer and digital means usage and the single security lack may cause huge losses. There are some surveys says most of the crimes are happening through electronic means and the target is computer or computer peripherals. If the attacker found a single security lack that is enough to start and break the whole system and the security lack could be configuration mistake, firewall issue and basically problems in the protection mechanism. Because of these reasons testing become very important and this process called as Auditing. There are so many types in the auditing and this auditing requires technical knowledge to make these tests perfect and to give an audit report including suggestions. The auditing falls into two main categories such as Automatic and manual. The test will be efficient if it is automated using testing tools which are called as automated or computerised test. Even though there are some tests cannot be automated and need to test manually. This auditing covers network security test, physical or environment security test, computer security test which includes software and hardware tests. The computerised test will carry on with some security tools and the manual will use questioner to minimise human made errors mainly forgetting.   Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Security audit is the technical assessment of the application or system. The assessment may be manual or systematic or both. In most case the auditing process uses manual and systematic/ automatic methods because there are some tests cannot be automatic such as review of the security policy, asset management, etc   Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  This auditing has different types such as internal or external. This type is depends on the company size and the resource availability. Usually big companies have their own security auditor so they will perform the audit internally and the small and medium size companies mostly hire auditor form outside. Both types got pros and cons in security and financial manor. Chapter 1 Introduction This chapter largely contains non-technical information to give the understanding of high level objectives. Also describe the techniques and technologies used in the project and research to accomplish the project Objective Audit The audit is a systematic or manual security assessment of the network, infrastructure, system, etc The complete audit should be the combination of manual and automatic assessment because in every test target there will be some test cannot be automatic. The audit has so many categories and the following paragraph will explain about the categories and the functions or techniques behind that. There are 3 controls in the auditing process which are Preventive control The preventive controls are controls may in the form of software or hardware or ant configuration to prevent the error or vulnerabilities. This is an active type control always monitor the interface for any vulnerabilities and block such vulnerabilities or errors before it enter into the system or infrastructure. This is most effective control mechanism because not allows the vulnerabilities. Detective control The detectives are in placed to monitor the vulnerabilities in the form of software or hardware but the different between preventive and detective is the preventive wont allow the vulnerabilities into the system where detective allows entering everything and correcting the vulnerabilities after enter. The best example is for this control is fire alarm because fire alarm wont prevent the fire before but if any fire it will work. Corrective controls The corrective controls are the controls to correct the error or issue before it make any harm. This is very important control for all places even if they have other controls because there are some issues or vulnerabilities cannot detect by the controls if they will come and attack so there should be some control to correct those before loss occur. Addition to that the controls should up to date such as latest firmware or latest definition. Type of auditors   Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  There are two basic types of auditors in the information era the internal and external auditors. This selection of the auditor will be done by the management with the use of financial status of the organisation. Size of the organisation and the policies defined in the company. Internal auditors Internal auditors are auditors belong to that particular company which is going to perform the audit. That means the auditor is an employee of the company. So the auditor is always available to do the auditing and data or information will keep within the organisation. This is the main advantage of having the internal auditor and the same time and the employee purposely recruited for auditing then is cost a lot for the company. So it is only possible for the big level companies because they have huge investments and revenue. The disadvantage of the internal auditor is they may be up-to-date and dont have current market or audit status such as new techniques and tools. External auditors The auditor recruited from other auditing firm for the auditing so it is very hard to find professional auditor because of the availability and as the auditor recruited from outside the company information may go out. At the same time the auditor needs some time to get and understand the company process. But the advantage of recruiting the external auditor is their knowledge and it is suitable for middle and small level companies. Types of Audit: Traditional Audit It is just like a manual auditing. It is useful when working with a large amount of data in a large company. Here auditor took some sample data from different place then provide a report. Advantage: Easy Cheaper Disadvantage: Always do not provide correct information. In IT sector it is not useful. Software audit: Software audit is a wide popular for any educational institute or organization. It is just like a review of the software and the system that can find all information of the system such as operating system, application software, processor, drives, controllers, bus adapters, multimedia, virus protection, system model, main circuit board, memory models, local drive volumes, network drives, printers information etc.. There are so many auditing tools in the market such as Belarc Advisor, E-Z audit that are very power full. KW116 is the main Lab for school of computing and mathematical science in University of Greenwich. CMS installed lots of software for students to continue study or research. According to Copy right, Design and Patents Act 1988, all Software must have a valid licences to continue the process. As Lab uses large amount of software and different software expire on different time so it is very difficult for Lab administrator to keep up to date all licence by manually checks. Only auditing by software can possible to give details report to administrator to keep up safe the system. Advantages: Correct Information: Machine always provide the correct information so it has less chance to provide the incorrect information. Save time: Software very quickly provides a report of the system so it saves time. Details description: It provide a details description of system including any warning or licences issues etc Minimise the cost: By implementing the software audit two peoples work may possible with one people so it reduce the extra cost. Disadvantages: Investment Costly: Software is very expensive so university need extra money to buy this software. Risk: Auditor knows the details information of the system. Work flow: Auditor needs part of the lab to check the system. So it discontinues the student workflow. The approach The typical audit has different approach to collect the data. The single audit will use multiple techniques to gather full information and it is necessary to use different technique for different level of people. These are common techniques here. Interview This technique uses to collect the information from outside people or top level people and the number should be limited. During the interview the auditor or interviewer will ask questions from other people and collect the information. So the person will be well prepared for the interview. This is very robust method because it will allow people to express fully and the method also simple as it is talking which is natural way to communicate. Another advantage is this bi directional communication, means both parties allows to ask questions for clarification or gather information. Observation This method uses in the place where real time process monitoring or behavioural change is required. This is a powerful way of do the changes throughout the audit because other techniques exist in currently not possible to get real time information. Inspection The technique required to do some action with collected data to collect audit related information. This is the form of observation with advance criteria expected. This is extended version of observation because if the auditor apply any advance criteria to gather the data which is necessary to the auditing. After collecting the data the next step is to identify the weakness and process it. The identifying is the key work in the audit and after that categorising. The identifying uses some techniques to make that easy, preface and professional. The techniques used here are Root cause analysis General technique for analyse and get the better solution for the vulnerability or weakness. Because this technique drilldowns to the issue and finds the root and fix the weakness. The basic technique behind this is if the root is fixed automatically it will fix all other problems related to that. So simply close all related issues at once. As mention the easy and robust way to stop the issues exist and the issues may come in the future. After root cause analysis the next step is to get the solution for the root of the issue. The important thing here is choosing better and effective solution for the issue. The selection depends on some external and internal restrictions. Organisation policy Cost per benefit Legal restrictions Availability Compatibility Vendor and citification Advantage of having Auditing: Satisfaction: It brings the confidence of the Lab administrator of the University of Greenwich to continue the business process. Owner always thinks is there any lack that breaks down the continuity of the business. Detection and prevention of errors: Human can made error in any times .on one can say there is no error in there company. By auditing people can find the error and suggestion to recover the error. Detection and prevention of fraud: It also just likes errors. Sometimes user intentionally or unintentionally does this thing. So after audit we can find out the fraud. Verification of the Licences: KW116 Lab installs lots of software for student. Here some software for 1 year some software for more than one year and some software has limitation (No. Of user can use) for use. So auditor can find all kind of licence issues. Independent opinion: Audit always done by the independent people .so this report always accepted by everyone. Safety form exploitation: Health and safety always is a big issue for any organization. KW116 Lab got lots of equipment that are connected with electricity. So always chances for short circuit or exploitation. Audit identifies the all lack point and advice for prevention. Disadvantage of having Auditing: It is expensive Sometimes slow or stop the work flow External people know the company information. Encryption Encryption is the simple technique in the different for to send the date securely through shared place like internet. The form of encryption may vary from each other but they all commonly use digital certificate to encrypt and decrypt the data. Encryption use keys to make cipher text from actual message. The cipher text is not readable and it is the encrypted version of the massage using some algorithm. Security roles/user roles The security roles are very important technique to make network administration easy. This is basically creating some groups with different permissions according to the organisation operation or policy. A user or staff can have multiple security roles according to their need. This roles use to authorise the user permission. Security policy Security policy is a document which has all rules and regulations documented and approved by management and align with laws and legislation. This policy is used to define all activities and this is used to make some decision. Business Continuity: There are three things always we have to mind to continue the business Essential: to running the business any customer order cannot be delay more than seven days. Tolerate delay: some application may delay to continue the business such as management pay. It is a midterm i.e. one to four weeks. Discretionary: some application is useful for business but it is not affected to continue the business operation such as management report. It is a long term i.e. 3 to 6 months. Business continuity planning Business continuity planning (BCP) is the most important for any organization to continue the business. BCP engages with only different kind of risk to continue the business process that might occur in the organization and it also creates the policies, plan and procedures to reduce the risk. BCP can continue the business process in disaster situation as well. The main goal of the BCP is to combine together all policies, procedures and process so that any disruptive situation business process can continue or it may impact very little. Here main important function of BCP is Maintaining the business operation Continue the business in emergency situation Reduce the risk If any situation BCP cannot take over then Disaster recovery planning (DRP) takes over. British Auditing Standard BS7799: It is a British standard called as BS7799 that developed by British standard institution where describes the security policy and standard procedures.BS7799 become the ISO IEC 17799 after accepting the ISO IEC technical committee for international use. Now a days information is a valuable asset for organization .So it is very important to protect the information like other corporate asset. Here BS7799 introduces how to protect the information from threats and suggest the three points to secure the information such as Integrity: it is assurance the completeness and accuracy of the information. Confidentiality: Information can only access by the authorise people Availability: Authorise people can access the information when needed. Attacks and prevention for the attacks Errors and Omissions: Errors and Omission is one of the most common and toughest vulnerabilities .It is a human made error because human interact with programming, controlling and enter data for computer. There are no countermeasures to protect the errors and omission. Fraud and theft: It is a one kind of criminal activities that may occur in the KW116 Lab. It includes computer component such as mouse, keyboard, router, switch, cables, CPU box etc. It was observed that security person always not in the access point. So it is harm to secure the lab from fraud and theft. By protecting the access control we can reduce the fraud and theft. Both internal and external people are responsible for that kind of activities. Prevention of Fraud and theft: Regular auditing and monitoring program will help to identify all kind of fraud and theft. Deploy all of the access control. CCTV in proper place. Virus: Virus is a malicious code that has ability to reproduce his code itself and spread one system to another system via e-mail, downloading, storage devices (CD, DVD, memory stick, removal hard drive) and destroy the computer system. It was observed that removal memory stick all most every user are using and it is the most change to spread the virus in the Lab computer system and also observed user are using their own laptop and connected to the university wireless network. If user laptop effected with virus then it also change to spread the lab network that can affect the internal network and attack the server and crash the hard drive. Prevention: Install the latest antivirus software. Regular update the antivirus software. Follow the backup procedures regularly. Scan the device when transfer data. Installing the NIDS (Network Intrusion detection system) and firewall Minimise the download from internet. Download only repudiated site web site. Scan before the download. Care full to open unknown e-mail attach. Scan all incoming file from the remote site. Aware the user about danger of the virus. Trap-doors: It is an undocumented command that might user can create to speed up the work flow. Unfortunately sometimes student might leave these trap-doors. Prevention of Trap-doors: Use latest antivirus software. Give permission to develop the code only authorise people. Check properly all coding before use it. Logic bombs: It work s like time bombs and affect the system in a particular event or day such as program launch, website logon. It changes the data and deletes the data from the system. Here student are accessing the lots software to do the course work or project. So they are strong enough to build the logic bombs. It is normally happen in company if employee leaves the job. Prevention: Audit regularly and monitoring Always back up the necessary file Allow authorise people to develop the code Need record of all modification or changes Trojan Horses: It is a software programming that contains the malicious code. Normally students are interested to download the music, free software from internet. It is the most change to affect the lab computer and destroy the data stored on lab computer system. Prevention: Avoid unwanted software and music download from internet. Aware the user about Trojan Horses. Worm: Warm also is a malicious code that can spread itself without any human involvement from one system to another system .It works only computer network system and does not need any devices to transport. Prevention: Use firewall Use update antivirus software Spyware: It is an unwanted software interface that monitors the activity of the user and transfers the important information like log in details or account details to the remote system that monitor the user activities. Adware: It is also similar to spyware but it does not intent to transfer the user details to a remote system. It works like advertisements on the internet. Some adware monitor the searching behaviour of the user and then redirect the related websites. Prevention of Adware /Spyware: Close the pop up window. Aware about the spyware/adware. Click only reputed link. Social Engineering: Most of the users are getting unknown mail and they are also chatting with unknown people. Social engineering is one of the most popular techniques that attackers use to access the system by sending the mail or chatting with people to know the password. So it is a major risk to the security of the password. Prevention: Not response the unknown mail. Not chatting with unknown people. Dont give any one personal information or login id. Proper training or aware the new user about social engineering. Ping of death: we have only permission to send the largest packet (65,536 bytes) on the server. Attackers know this amount of bytes from ICMP specification. So they try to send the packets more than 65,536 bytes (at least 65,537). If the server does not check the size of the packet and try to process then it hung or crashed the operating system. Dumpster diving: Every day Lab user printing there necessary document but sometimes by mistake they are printing unnecessary document and end of the day through all document in the bin. Hacker is very intelligence. They always look at the bin and find the necessary document to access the network. Prevention: Destroy all documents before put in a bin Natural disasters: If anything happen that is not under control of human it is called natural dusters such as earthquakes, volcano, floods, fires, storms, hurricanes etc It may occur in any time but most risk is the fire for KW116 lab. It may cause from heater, power supply, over heating the power box, short circuit etc. Natural disaster is less chance for lab but it affect is more than any threat .It may destroy the part of the building, loses the all information. Prevention: Follow the health and safety procedures. Clear the fire exit. Aware the user about possible disaster. Man-Made Disasters: If anything happen intentionally to destroy the business process or destroy the part of the business and it is control of human then it is called the Man-Made Disaster such as Fire, Act of Terrorism, Bombings/Explosions, and Power Outages etc. Prevention: Check always ID card Allow only authorise people Use metal detector CCTV Equipment failure: Students are always busy with their course work and other course related work so equipment failure may loss the all data. Prevention: Use extra UPS Back up all data Auditing Stages/Steps Scope and Pre-Audit survey Planning Field work Analysis Reporting Scope and Pre-Auditing The first step or stage of the audit is to understand the purpose of the audit and the areas need to cover during the audit. Understanding the audit purpose is basically get the idea why this audit needs to perform; means any special risk assessment or annual audit. If it is special risk assessment audit this will be more specific and the scope will be narrow and deep otherwise if it is annual audit it will be the general audit to cover as much as possible area. Pre-Auditing survey is to verify the audit areas using risk management techniques and some general techniques such are reading previous audit report, web browsing, background reading, etc This will reduce the chance of failure by correcting the plan by lesson learned. Planning and Preparation In this stage the scope is going to break into small areas to make auditing easier and clear. So the clarity will be more and purpose will be easy to understand. Usually this stage will involve the work breakdown plan and risk control matrix. The risk control matrix is just a check list contains questions to carry out during the audit. Field work Actual auditing will perform during this stage by different techniques or methods. Simply it starts with interviewing staff or students using questioner or oral interview to system or network test by auditing software tools. The result of this stage will be the evidence of the audit to get a conclusion or submit to the management with audit report. So this will be the most important stage in the audit process. This step may use several testing software tools depend on the scope of the audit and the software selection is another key event of the audit process because there are so many fake software applications available in the market. Actually those are virus and the reason of making virus in the form of auditing tools. The reason of spreading the virus in the form of auditing or testing tool is very easy and hart to detect. Analysis Using the evidences or any results collected in the previous stage are the input of this stage. This stage is fully analysis and decision making so it needs a lots of time to investigation and assessment. The most sensitive area of the audit process is analysis because this is the place going to take the decision to submit to the board so that should be perfect otherwise the audit is useless and it will lead to make some wrong decision. Reporting The stage is to present all audit findings in the form of report. This is the document contains all evidences, analysis results, suggestions recommendations, conclusion, etc This document will pass to the management or the higher level people to review approve and take necessary action if necessary. The report should be clearly written and easy to understand because this document need for future also to give some information to start next auditing or to take some strategic decision. Problem Domain Because of the increased use of university of Greenwich KW116 lab the chances of threats or issues are high and this is the responsibility of the student and the staff to make the lab secure in all aspects. The reason of this project based on KW116 is that is the lab used by the students largely and usually network related or any other lab sessions and happening in this lab so if the lab got any security hole or lack that may affect the student and the staffs. Easiest way to ensure the security level of the lab is auditing. This auditing needs to cover all areas from physical security to network security. Then only this will the perfect audit and the audit can use some standard checklist to make more efficient and to eliminate human made errors such as forgotten, typing mistakes, etc There are so many ways to make sure the security level such as penetration testing and vulnerability testing. These are more specific with attacks and threats and for the general purpose security audit is the suitable one as it will cover all areas of the security. According the reasons given above the general security audit is the most suitable technique to verify the security level of the lab. So the auditing will cover most of the areas of the lab with the aid of standard checklist which is approved by British Standard Institute. Test behind the auditing Physical test Network test Software Test Security Policy test Hardware/Peripherals test Access control test Objectives To evaluate the actual level of security that exists at The University of Greenwich Maritime campus KW116 Lab. Activities plan and schedule the audit Auditing with software tools Analysis audit result Deliverable Detailed audit report with suggestions and recommendation This is the main objective of the project and this will carry on with several tools like packet sniffer, port scanner software, etc There are three different tests using these tools to identify internal and external vulnerabilities. To evaluate various methods of implementing the security policy, determine the security weaknesses and implement risk management for the existing security weaknesses. University lab security policy review Analysis Deliverable Detailed security policy analysis report with changes/suggestions/recommendation. The reason of this objective is to stop the holes from policy level because this is the easy way to implement. Learn Audit and Audit process and practice auditing and Research auditing products available in the market and select appropriate. This task is fully learning about audit and audit related stuffs. This objective is the key or starter of this project because if project start without proper knowledge that will mislead to somewhere else not to project aim. To draft a new security policy that addresses the existing weakness to the management. According to the analysis draft a security policy to fix or overcome all existing security holes. Deliverable Draft security policy How the objectives will be achieved Third and fourth objectives will be achieved with books and internet. This objective will give the idea about auditing the outcome of this objective will be a documentation which contains all requirements which need to cover in this project. The research will give the details about tools which requires to perform the auditing the methods/process for the auditing. Internet is the main and basic mean for this research as it is easy to access and with wide range of data. Tools which identified from the research will used to perform the security auditing and this audit result will monitor in real-time and document instantly. Mostly these tools will be freeware and from well-known vendor. The auditing will perform in three different views to make sure the area is secured fully. The views are inside computer local network, outside computer local network, outside computer different network. Audit Methodology This project uses two different methodologies to accomplish the task such as checklist and questioner. The check list is an aid for the auditor to perform the audit and it is a manual to the audit. So the checklist will contains all tests need to perform during the auditing where questioner is to get the opinion or feedback for the staffs and students (generally this will be feedback from stockholders). The analysis also will carry in two different way using questioner and the checklist and finally compare both and get the conclusion. The questioner and checklist covers most of the areas and those are grouped separately to make the auditors life easy and more understandable. The areas coved in the documents are Physical Security/ E Security Forensics and Risk Management Security Forensics and Risk Management Acknowledgement Foremost I would like say thanks to god for all support in all my life and secondly University of Greenwich to give this my life aim to complete my masters. Next my supervisor Professor Kevin Parrott to the supports he gave because without his support I wouldnt be able to complete my project with this quality. Especially the suggestions and appreciation given my supervisor make me feel better and gave positive thinking. Finally need to thank my family and friends for unbelievable supports and encouragements. Abstract As we are in the information era the world is changing to use electronic means for day to day use. The paper documents is gone and most of them are paper free because of so many reasons such as pollution, easy, fast, etc At the same time this digital media has availability, scalability, confidentiality and integrity which are required behaviour for secure communication. The risk is increased with the increase of computer and digital means usage and the single security lack may cause huge losses. There are some surveys says most of the crimes are happening through electronic means and the target is computer or computer peripherals. If the attacker found a single security lack that is enough to start and break the whole system and the security lack could be configuration mistake, firewall issue and basically problems in the protection mechanism. Because of these reasons testing become very important and this process called as Auditing. There are so many types in the auditing and this auditing requires technical knowledge to make these tests perfect and to give an audit report including suggestions. The auditing falls into two main categories such as Automatic and manual. The test will be efficient if it is automated using testing tools which are called as automated or computerised test. Even though there are some tests cannot be automated and need to test manually. This auditing covers network security test, physical or environment security test, computer security test which includes software and hardware tests. The computerised test will carry on with some security tools and the manual will use questioner to minimise human made errors mainly forgetting.   Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Security audit is the technical assessment of the application or system. The assessment may be manual or systematic or both. In most case the auditing process uses manual and systematic/ automatic methods because there are some tests cannot be automatic such as review of the security policy, asset management, etc   Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  This auditing has different types such as internal or external. This type is depends on the company size and the resource availability. Usually big companies have their own security auditor so they will perform the audit internally and the small and medium size companies mostly hire auditor form outside. Both types got pros and cons in security and financial manor. Chapter 1 Introduction This chapter largely contains non-technical information to give the understanding of high level objectives. Also describe the techniques and technologies used in the project and research to accomplish the project Objective Audit The audit is a systematic or manual security assessment of the network, infrastructure, system, etc The complete audit should be the combination of manual and automatic assessment because in every test target there will be some test cannot be automatic. The audit has so many categories and the following paragraph will explain about the categories and the functions or techniques behind that. There are 3 controls in the auditing process which are Preventive control The preventive controls are controls may in the form of software or hardware or ant configuration to prevent the error or vulnerabilities. This is an active type control always monitor the interface for any vulnerabilities and block such vulnerabilities or errors before it enter into the system or infrastructure. This is most effective control mechanism because not allows the vulnerabilities. Detective control The detectives are in placed to monitor the vulnerabilities in the form of software or hardware but the different between preventive and detective is the preventive wont allow the vulnerabilities into the system where detective allows entering everything and correcting the vulnerabilities after enter. The best example is for this control is fire alarm because fire alarm wont prevent the fire before but if any fire it will work. Corrective controls The corrective controls are the controls to correct the error or issue before it make any harm. This is very important control for all places even if they have other controls because there are some issues or vulnerabilities cannot detect by the controls if they will come and attack so there should be some control to correct those before loss occur. Addition to that the controls should up to date such as latest firmware or latest definition. Type of auditors   Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  Ã‚  There are two basic types of auditors in the information era the internal and external auditors. This selection of the auditor will be done by the management with the use of financial status of the organisation. Size of the organisation and the policies defined in the company. Internal auditors Internal auditors are auditors belong to that particular company which is going to perform the audit. That means the auditor is an employee of the company. So the auditor is always available to do the auditing and data or information will keep within the organisation. This is the main advantage of having the internal auditor and the same time and the employee purposely recruited for auditing then is cost a lot for the company. So it is only possible for the big level companies because they have huge investments and revenue. The disadvantage of the internal auditor is they may be up-to-date and dont have current market or audit status such as new techniques and tools. External auditors The auditor recruited from other auditing firm for the auditing so it is very hard to find professional auditor because of the availability and as the auditor recruited from outside the company information may go out. At the same time the auditor needs some time to get and understand the company process. But the advantage of recruiting the external auditor is their knowledge and it is suitable for middle and small level companies. Types of Audit: Traditional Audit It is just like a manual auditing. It is useful when working with a large amount of data in a large company. Here auditor took some sample data from different place then provide a report. Advantage: Easy Cheaper Disadvantage: Always do not provide correct information. In IT sector it is not useful. Software audit: Software audit is a wide popular for any educational institute or organization. It is just like a review of the software and the system that can find all information of the system such as operating system, application software, processor, drives, controllers, bus adapters, multimedia, virus protection, system model, main circuit board, memory models, local drive volumes, network drives, printers information etc.. There are so many auditing tools in the market such as Belarc Advisor, E-Z audit that are very power full. KW116 is the main Lab for school of computing and mathematical science in University of Greenwich. CMS installed lots of software for students to continue study or research. According to Copy right, Design and Patents Act 1988, all Software must have a valid licences to continue the process. As Lab uses large amount of software and different software expire on different time so it is very difficult for Lab administrator to keep up to date all licence by manually checks. Only auditing by software can possible to give details report to administrator to keep up safe the system. Advantages: Correct Information: Machine always provide the correct information so it has less chance to provide the incorrect information. Save time: Software very quickly provides a report of the system so it saves time. Details description: It provide a details description of system including any warning or licences issues etc Minimise the cost: By implementing the software audit two peoples work may possible with one people so it reduce the extra cost. Disadvantages: Investment Costly: Software is very expensive so university need extra money to buy this software. Risk: Auditor knows the details information of the system. Work flow: Auditor needs part of the lab to check the system. So it discontinues the student workflow. The approach The typical audit has different approach to collect the data. The single audit will use multiple techniques to gather full information and it is necessary to use different technique for different level of people. These are common techniques here. Interview This technique uses to collect the information from outside people or top level people and the number should be limited. During the interview the auditor or interviewer will ask questions from other people and collect the information. So the person will be well prepared for the interview. This is very robust method because it will allow people to express fully and the method also simple as it is talking which is natural way to communicate. Another advantage is this bi directional communication, means both parties allows to ask questions for clarification or gather information. Observation This method uses in the place where real time process monitoring or behavioural change is required. This is a powerful way of do the changes throughout the audit because other techniques exist in currently not possible to get real time information. Inspection The technique required to do some action with collected data to collect audit related information. This is the form of observation with advance criteria expected. This is extended version of observation because if the auditor apply any advance criteria to gather the data which is necessary to the auditing. After collecting the data the next step is to identify the weakness and process it. The identifying is the key work in the audit and after that categorising. The identifying uses some techniques to make that easy, preface and professional. The techniques used here are Root cause analysis General technique for analyse and get the better solution for the vulnerability or weakness. Because this technique drilldowns to the issue and finds the root and fix the weakness. The basic technique behind this is if the root is fixed automatically it will fix all other problems related to that. So simply close all related issues at once. As mention the easy and robust way to stop the issues exist and the issues may come in the future. After root cause analysis the next step is to get the solution for the root of the issue. The important thing here is choosing better and effective solution for the issue. The selection depends on some external and internal restrictions. Organisation policy Cost per benefit Legal restrictions Availability Compatibility Vendor and citification Advantage of having Auditing: Satisfaction: It brings the confidence of the Lab administrator of the University of Greenwich to continue the business process. Owner always thinks is there any lack that breaks down the continuity of the business. Detection and prevention of errors: Human can made error in any times .on one can say there is no error in there company. By auditing people can find the error and suggestion to recover the error. Detection and prevention of fraud: It also just likes errors. Sometimes user intentionally or unintentionally does this thing. So after audit we can find out the fraud. Verification of the Licences: KW116 Lab installs lots of software for student. Here some software for 1 year some software for more than one year and some software has limitation (No. Of user can use) for use. So auditor can find all kind of licence issues. Independent opinion: Audit always done by the independent people .so this report always accepted by everyone. Safety form exploitation: Health and safety always is a big issue for any organization. KW116 Lab got lots of equipment that are connected with electricity. So always chances for short circuit or exploitation. Audit identifies the all lack point and advice for prevention. Disadvantage of having Auditing: It is expensive Sometimes slow or stop the work flow External people know the company information. Encryption Encryption is the simple technique in the different for to send the date securely through shared place like internet. The form of encryption may vary from each other but they all commonly use digital certificate to encrypt and decrypt the data. Encryption use keys to make cipher text from actual message. The cipher text is not readable and it is the encrypted version of the massage using some algorithm. Security roles/user roles The security roles are very important technique to make network administration easy. This is basically creating some groups with different permissions according to the organisation operation or policy. A user or staff can have multiple security roles according to their need. This roles use to authorise the user permission. Security policy Security policy is a document which has all rules and regulations documented and approved by management and align with laws and legislation. This policy is used to define all activities and this is used to make some decision. Business Continuity: There are three things always we have to mind to continue the business Essential: to running the business any customer order cannot be delay more than seven days. Tolerate delay: some application may delay to continue the business such as management pay. It is a midterm i.e. one to four weeks. Discretionary: some application is useful for business but it is not affected to continue the business operation such as management report. It is a long term i.e. 3 to 6 months. Business continuity planning Business continuity planning (BCP) is the most important for any organization to continue the business. BCP engages with only different kind of risk to continue the business process that might occur in the organization and it also creates the policies, plan and procedures to reduce the risk. BCP can continue the business process in disaster situation as well. The main goal of the BCP is to combine together all policies, procedures and process so that any disruptive situation business process can continue or it may impact very little. Here main important function of BCP is Maintaining the business operation Continue the business in emergency situation Reduce the risk If any situation BCP cannot take over then Disaster recovery planning (DRP) takes over. British Auditing Standard BS7799: It is a British standard called as BS7799 that developed by British standard institution where describes the security policy and standard procedures.BS7799 become the ISO IEC 17799 after accepting the ISO IEC technical committee for international use. Now a days information is a valuable asset for organization .So it is very important to protect the information like other corporate asset. Here BS7799 introduces how to protect the information from threats and suggest the three points to secure the information such as Integrity: it is assurance the completeness and accuracy of the information. Confidentiality: Information can only access by the authorise people Availability: Authorise people can access the information when needed. Attacks and prevention for the attacks Errors and Omissions: Errors and Omission is one of the most common and toughest vulnerabilities .It is a human made error because human interact with programming, controlling and enter data for computer. There are no countermeasures to protect the errors and omission. Fraud and theft: It is a one kind of criminal activities that may occur in the KW116 Lab. It includes computer component such as mouse, keyboard, router, switch, cables, CPU box etc. It was observed that security person always not in the access point. So it is harm to secure the lab from fraud and theft. By protecting the access control we can reduce the fraud and theft. Both internal and external people are responsible for that kind of activities. Prevention of Fraud and theft: Regular auditing and monitoring program will help to identify all kind of fraud and theft. Deploy all of the access control. CCTV in proper place. Virus: Virus is a malicious code that has ability to reproduce his code itself and spread one system to another system via e-mail, downloading, storage devices (CD, DVD, memory stick, removal hard drive) and destroy the computer system. It was observed that removal memory stick all most every user are using and it is the most change to spread the virus in the Lab computer system and also observed user are using their own laptop and connected to the university wireless network. If user laptop effected with virus then it also change to spread the lab network that can affect the internal network and attack the server and crash the hard drive. Prevention: Install the latest antivirus software. Regular update the antivirus software. Follow the backup procedures regularly. Scan the device when transfer data. Installing the NIDS (Network Intrusion detection system) and firewall Minimise the download from internet. Download only repudiated site web site. Scan before the download. Care full to open unknown e-mail attach. Scan all incoming file from the remote site. Aware the user about danger of the virus. Trap-doors: It is an undocumented command that might user can create to speed up the work flow. Unfortunately sometimes student might leave these trap-doors. Prevention of Trap-doors: Use latest antivirus software. Give permission to develop the code only authorise people. Check properly all coding before use it. Logic bombs: It work s like time bombs and affect the system in a particular event or day such as program launch, website logon. It changes the data and deletes the data from the system. Here student are accessing the lots software to do the course work or project. So they are strong enough to build the logic bombs. It is normally happen in company if employee leaves the job. Prevention: Audit regularly and monitoring Always back up the necessary file Allow authorise people to develop the code Need record of all modification or changes Trojan Horses: It is a software programming that contains the malicious code. Normally students are interested to download the music, free software from internet. It is the most change to affect the lab computer and destroy the data stored on lab computer system. Prevention: Avoid unwanted software and music download from internet. Aware the user about Trojan Horses. Worm: Warm also is a malicious code that can spread itself without any human involvement from one system to another system .It works only computer network system and does not need any devices to transport. Prevention: Use firewall Use update antivirus software Spyware: It is an unwanted software interface that monitors the activity of the user and transfers the important information like log in details or account details to the remote system that monitor the user activities. Adware: It is also similar to spyware but it does not intent to transfer the user details to a remote system. It works like advertisements on the internet. Some adware monitor the searching behaviour of the user and then redirect the related websites. Prevention of Adware /Spyware: Close the pop up window. Aware about the spyware/adware. Click only reputed link. Social Engineering: Most of the users are getting unknown mail and they are also chatting with unknown people. Social engineering is one of the most popular techniques that attackers use to access the system by sending the mail or chatting with people to know the password. So it is a major risk to the security of the password. Prevention: Not response the unknown mail. Not chatting with unknown people. Dont give any one personal information or login id. Proper training or aware the new user about social engineering. Ping of death: we have only permission to send the largest packet (65,536 bytes) on the server. Attackers know this amount of bytes from ICMP specification. So they try to send the packets more than 65,536 bytes (at least 65,537). If the server does not check the size of the packet and try to process then it hung or crashed the operating system. Dumpster diving: Every day Lab user printing there necessary document but sometimes by mistake they are printing unnecessary document and end of the day through all document in the bin. Hacker is very intelligence. They always look at the bin and find the necessary document to access the network. Prevention: Destroy all documents before put in a bin Natural disasters: If anything happen that is not under control of human it is called natural dusters such as earthquakes, volcano, floods, fires, storms, hurricanes etc It may occur in any time but most risk is the fire for KW116 lab. It may cause from heater, power supply, over heating the power box, short circuit etc. Natural disaster is less chance for lab but it affect is more than any threat .It may destroy the part of the building, loses the all information. Prevention: Follow the health and safety procedures. Clear the fire exit. Aware the user about possible disaster. Man-Made Disasters: If anything happen intentionally to destroy the business process or destroy the part of the business and it is control of human then it is called the Man-Made Disaster such as Fire, Act of Terrorism, Bombings/Explosions, and Power Outages etc. Prevention: Check always ID card Allow only authorise people Use metal detector CCTV Equipment failure: Students are always busy with their course work and other course related work so equipment failure may loss the all data. Prevention: Use extra UPS Back up all data Auditing Stages/Steps Scope and Pre-Audit survey Planning Field work Analysis Reporting Scope and Pre-Auditing The first step or stage of the audit is to understand the purpose of the audit and the areas need to cover during the audit. Understanding the audit purpose is basically get the idea why this audit needs to perform; means any special risk assessment or annual audit. If it is special risk assessment audit this will be more specific and the scope will be narrow and deep otherwise if it is annual audit it will be the general audit to cover as much as possible area. Pre-Auditing survey is to verify the audit areas using risk management techniques and some general techniques such are reading previous audit report, web browsing, background reading, etc This will reduce the chance of failure by correcting the plan by lesson learned. Planning and Preparation In this stage the scope is going to break into small areas to make auditing easier and clear. So the clarity will be more and purpose will be easy to understand. Usually this stage will involve the work breakdown plan and risk control matrix. The risk control matrix is just a check list contains questions to carry out during the audit. Field work Actual auditing will perform during this stage by different techniques or methods. Simply it starts with interviewing staff or students using questioner or oral interview to system or network test by auditing software tools. The result of this stage will be the evidence of the audit to get a conclusion or submit to the management with audit report. So this will be the most important stage in the audit process. This step may use several testing software tools depend on the scope of the audit and the software selection is another key event of the audit process because there are so many fake software applications available in the market. Actually those are virus and the reason of making virus in the form of auditing tools. The reason of spreading the virus in the form of auditing or testing tool is very easy and hart to detect. Analysis Using the evidences or any results collected in the previous stage are the input of this stage. This stage is fully analysis and decision making so it needs a lots of time to investigation and assessment. The most sensitive area of the audit process is analysis because this is the place going to take the decision to submit to the board so that should be perfect otherwise the audit is useless and it will lead to make some wrong decision. Reporting The stage is to present all audit findings in the form of report. This is the document contains all evidences, analysis results, suggestions recommendations, conclusion, etc This document will pass to the management or the higher level people to review approve and take necessary action if necessary. The report should be clearly written and easy to understand because this document need for future also to give some information to start next auditing or to take some strategic decision. Problem Domain Because of the increased use of university of Greenwich KW116 lab the chances of threats or issues are high and this is the responsibility of the student and the staff to make the lab secure in all aspects. The reason of this project based on KW116 is that is the lab used by the students largely and usually network related or any other lab sessions and happening in this lab so if the lab got any security hole or lack that may affect the student and the staffs. Easiest way to ensure the security level of the lab is auditing. This auditing needs to cover all areas from physical security to network security. Then only this will the perfect audit and the audit can use some standard checklist to make more efficient and to eliminate human made errors such as forgotten, typing mistakes, etc There are so many ways to make sure the security level such as penetration testing and vulnerability testing. These are more specific with attacks and threats and for the general purpose security audit is the suitable one as it will cover all areas of the security. According the reasons given above the general security audit is the most suitable technique to verify the security level of the lab. So the auditing will cover most of the areas of the lab with the aid of standard checklist which is approved by British Standard Institute. Test behind the auditing Physical test Network test Software Test Security Policy test Hardware/Peripherals test Access control test Objectives To evaluate the actual level of security that exists at The University of Greenwich Maritime campus KW116 Lab. Activities plan and schedule the audit Auditing with software tools Analysis audit result Deliverable Detailed audit report with suggestions and recommendation This is the main objective of the project and this will carry on with several tools like packet sniffer, port scanner software, etc There are three different tests using these tools to identify internal and external vulnerabilities. To evaluate various methods of implementing the security policy, determine the security weaknesses and implement risk management for the existing security weaknesses. University lab security policy review Analysis Deliverable Detailed security policy analysis report with changes/suggestions/recommendation. The reason of this objective is to stop the holes from policy level because this is the easy way to implement. Learn Audit and Audit process and practice auditing and Research auditing products available in the market and select appropriate. This task is fully learning about audit and audit related stuffs. This objective is the key or starter of this project because if project start without proper knowledge that will mislead to somewhere else not to project aim. To draft a new security policy that addresses the existing weakness to the management. According to the analysis draft a security policy to fix or overcome all existing security holes. Deliverable Draft security policy How the objectives will be achieved Third and fourth objectives will be achieved with books and internet. This objective will give the idea about auditing the outcome of this objective will be a documentation which contains all requirements which need to cover in this project. The research will give the details about tools which requires to perform the auditing the methods/process for the auditing. Internet is the main and basic mean for this research as it is easy to access and with wide range of data. Tools which identified from the research will used to perform the security auditing and this audit result will monitor in real-time and document instantly. Mostly these tools will be freeware and from well-known vendor. The auditing will perform in three different views to make sure the area is secured fully. The views are inside computer local network, outside computer local network, outside computer different network. Audit Methodology This project uses two different methodologies to accomplish the task such as checklist and questioner. The check list is an aid for the auditor to perform the audit and it is a manual to the audit. So the checklist will contains all tests need to perform during the auditing where questioner is to get the opinion or feedback for the staffs and students (generally this will be feedback from stockholders). The analysis also will carry in two different way using questioner and the checklist and finally compare both and get the conclusion. The questioner and checklist covers most of the areas and those are grouped separately to make the auditors life easy and more understandable. The areas coved in the documents are Physical Security/ E