Management of Information Security Project

profileLearning333
SampleProjectReport.pdf

ACME Inc. Security 1

ACME Inc. Security Assessment

ACME Inc. Security 2

ACME Inc. Security Assessment

Introduction and background

ACME Inc. is a mid-size privately held Biotechnology firm that performs research and

development for medical and pharmaceutical companies. 3 friends and former coworkers of a

Forbes Fortune 500 pharmaceutical company founded ACME INC. 12 years ago after seeing the

potential in using their knowledge and experience to develop groundbreaking devices and drug

testing software and equipment. The firm routinely shares information and data with its

customers and partners. This information often contains trade secrets, HIPPA protected patient

information and privacy data. ACME Inc. has noticed recent trends in the penetration, hacking

and compromising of various companies, which resulted in the hiring of more Information

Security personnel to assess the company security posture and implement corrective measures as

needed. The following analysis is a result of the evaluation and assessment of the companies

various controls including management, operational, technical and logical controls.

Management Controls

The assessment first addressed the management controls for ACME Inc. The analysis

found that the risk management assessment was not performed in regular intervals, but rather

when news of a large security breach has occurred in another company or government entity.

The review of the risks is limited in scope and did not evaluate the company as a whole to

include personnel and/or physical issues. The current information system documentation is out of

date and incomplete. The documentation contains only the rudimentary information only the core

services are listed. For example, the Microsoft Domain controller, Exchange mail and web

servers are displayed and listed, but the specific system hostname, IP address and operating

systems are not broken down.

The risk assessment identified threats from nature such as tornadoes, earthquakes and

fires and some man-made threats like administrator and user errors, but does not mention

malicious intent or sabotage. Senior management has been briefed on these threats and risks

from nature, insider and outsiders threat and understand the various risks from each. The

assessment does not address the cost associated with each of the threat sources nor the impact for

each threat and therefore specific controls to mitigate the threats have been identified for each

scenario.

The review of company security controls discovered both positives and negatives during

the assessment. The security controls address the local systems but do not mention the controls to

interconnected systems to the customer and partners. Management has recently taken strides to

implement corrective measures to improve the security controls deficiencies including the hiring

of experienced information security personnel.

A System Security Plan (SSP) “provides an overview of the security requirements of the

system and describe the controls in place or planned, responsibilities and expected behavior of

all individuals who access the system. It should reflect input from various managers with

responsibilities concerning the system, including information owners, the system operator, and

the system security manager.” (SANS, 2003) The ACME Inc. for SSP does not meet this

definition because the plan lacks the inclusion of interconnected systems and that organization’s

ACME Inc. Security 3

security manager. Internal personnel review the SSP on a regular basis and changes are approved

by a majority vote.

Operational Controls

The analysis of the Personnel Security controls found that information security, information

technology and the general users have assigned only the permissions to perform his or her duties.

Because the nature of work and information the company holds the company uses background

checks for personnel in positions that have access to privacy and HIPPA data. The background

checks are limited to National Agency Checks (NAC), which focuses on criminal and law

enforcement data. The review of such background checks is often overlooked and some

personnel have not had a review since the inception of the company. The job functions and scope

of responsibility for workers in secure areas are divided and outlined, but a few key personnel

have access to all areas. All personnel sign a non-disclosure and privacy agreement when hired

and some personnel sign a non-compete clause prevents a worker from working for a competitor

due to their knowledge of the company trade secrets and process. The hiring and termination of

employees include an account process for the creation, issuance and deletion of user accounts,

however the evaluation discovered a few instances where user accounts were not deleted when

the employee left the company. As a part of personnel security controls, ACME Inc. has

developed procedures to hold employees accountable for actions that are considered to be illegal,

violate company core values and acceptable computer use policies.

Analysis of physical security measures discovered positives and negatives practices by

the company. The company uses badges and biometric fingerprint scanners for access to secure

areas that contain trade secrets and confidential information while the other areas use badge

readers with user PIN. These systems are monitored by physical security guards perform random

bag checks for employees entering and leaving the building. All visitors are given badges that

clearly display he or her is a guest and must be escorted. The issuance and revocation of the

badges are a part of the employee in/out processing. Management does not review the list of

personnel with access to the most secure areas on a consistent basis and relies on the individual

managers to ensure workers only have access to areas needed. The review showed that security

codes and combinations are changed, but not often enough to meet with requirement designated

by management. As a part of the physical and environmental controls the company uses

extensive fire suppression system throughout the building, battery backup in case a loss of power

and generator for extended time without commercial power.

Input and output controls consist of a help desk, webpage for user support. Media

controls are used to protect the unauthorized copying, altering and theft of company information.

These controls are audited and maintained by security personnel. Logistics personnel maintain a

record of information systems using a barcode system that tracks vendor, make, model, system

components, location and warranty information. Equipment that contained sensitive information

is degaussed, shredded or destroying while others are sold.

Contingency planning controls address most of the key items. Company critical files and

resources have been identified by management and technical personnel, which need to be

safeguarded. Management has also identified which processes are priorities in the event of

limited capacity. This information has been approved, documented and promulgated to key

personnel for guidance in the event of various situations. Included in the documentation are

detailed instructions on the restoration of core systems or the initialization of the alternate site.

ACME Inc. Security 4

The company does not use offsite storage other than the alternate site. The company occasionally

performs disaster recovery (DR) and contingency plan (CP) exercises to practice what each

person is responsible for in various situations.

Hardware and software maintenance controls include scheduled maintenance for both

items. Software controls are used to prevent unauthorized installation of software and changes in

security. Hardware controls are implemented to prevent users from installing hardware that has

not been approved and requires personnel with access to the system BIOS or network interfaces.

Any software or hardware changes to servers; workstations and networking equipment require an

approved change request that goes through an approval process. Stake owners in the process

represent the configuration change board, so changes are not being made in a vacuum.

The evaluation of ACME Inc.’s Data integrity controls effective measures to secure

information. Symantec Anti-virus (A/V) and host based Intrusion detection (HIDS) software

installed on all servers and workstations in the company. The management server updates the

software several times a week. The server, which downloads updates, virus definitions and

signature, pushes updates to clients. The a/v software is scheduled to scan systems during non-

working hours.

As a part of the operational controls, ACME documentation process is basic, but does

address key items. The documentation includes installation process, vendor documentation.

Network diagram, which will be discussed later on in the assessment. User guides are given to

employees during their in processing. Emergency procedures for weather, fire and other natural

disasters are provided in the employee handbook.

The company has limited security awareness education training program. All employees

receive initial security training, but there is not a requirement to receive additional training.

Information Security and Information Technology personnel receive more advanced training

designed based on their job function. As mentioned earlier all personnel sign acceptable use

agreement forms, which are kept on file.

The company’s Incident Response (IR) team was formed to manage, detect and respond

to incidents per the Incident Response Plan (IRP). The IR team is made up members from

various sections in the technology department the members include help desk technician,

networking technician, systems member and a information security employee. Per the IRP, each

member has specific duties in the event of a possible incident. One issue found in the assessment

is the average help desk employee doesn’t have exact procedures to follow, but general items and

actions including calling the IR team. Another issue discovered is that users surveyed responded

that they were unsure what to do in case of a suspected incident. The IR team has responded to

several false alarms and actual incidents, but the documentation and root cause analysis was not

share with the company management or users. The customers and partner companies were not

consistently notified and sometimes not given the specific cause after initial notification. The

process for modifying the incident and controls techniques is clearly defined and the IR team

routinely meets to discuss its effectiveness. Incidents are not typically shared with law

enforcement agencies, but management is open to the concept.

Technical Controls

The identification and authentications controls used by ACME Inc. are characteristic of a

Biotechnology company. All users are authenticated using smart cards and a pin linked the their

active directory account. The smart card has the user’s PKI certificate that is associated to their

ACME Inc. Security 5

account. The PKI certs are also used to digitally sign emails and adobe documents and access

MS SharePoint pages. Guest access uses temporary smart cards in exchange for a valid

government id to ensure the return of the smart card. The card is reset upon turn in and all access

to systems is removed. Although smart cards are used users are still required to change

passwords every 60 days and meet complexity requirements. Users that have not logged in

within 30 days have their account disabled and after 45 days the account is deleted unless the

users has arranged otherwise. A weekly list of accounts is verified for any of the previous

conditions are met. Passwords and PINs are not displayed when a user logs in to prevent another

person from seeing their data. In case of a compromised password, the account is disabled and

another account is created with a new password. Users request a password reset will be required

to visit the help desk and will not be given over the phone. In addition to user passwords, vendor

passwords and service accounts are required to meet complexity requirements and changed

regularly. The list of service accounts are kept in a safe with a list of personnel who have access

and signed for the account. Access to these accounts is limited to system administrators and

security personnel. Users and administrators are required to remove their smart card when

leaving the workstation or server.

Logical access control evaluation resulted in the following findings. Users access to

systems and information is limited to their job requirements and responsibilities, however no

Controls are in place to track access and enforce the limitation. Security and certain systems

administrators are the only employees that can manage security software. Other logical access

control that is encryption for the web servers that use Secure Socket Layer with a certificate by

VeriSign and active directory for internal only systems. Documents that contain privacy, HIPPA,

confidential or sensitive information are required to be labeled as such. Network access is limited

to secure means such as Secure Shell (SSH v3) and directly to the local console, access is logged

whether it is local or remote. Assessment did not find any unsecure protocols used by the

organization. Remote access is available to servers and networking equipment only by certain IP

address ranges, but session limits were not enabled. There are no trusts with other domains

between ACME Inc. and other companies. All users are required to consent to a logon banner

restating acceptable use rules. Privacy statement is available on the company website. The

company uses CISCO for network firewalls to safeguard its information systems and a proxy

server for the company website.

The final logical control as a part of the assessment is a review of the company auditing

procedures. Access to documents that contain privacy, HIPPA, confidential or sensitive

information are audited and logged. These logs are kept for historical purposes and to support

investigations into illegal or fraudulent activity. Only security administrators and key system

administrators have access to the security and audit logs. These logs are reviewed by both

security and systems personnel on a daily basis for traces of intrusion or activities. In case of

suspicious activity, either the system administrator or a security administrator depending on the

system investigates the incident.

Recommendations

This section will recommend actions based on the evaluation and analysis of ACME Inc.

with regard to management, operational, technical and logical controls. The recommendations

for management controls include the implementation of scheduled risk assessments on a

quarterly basis. This schedule will provide both the technical team and management a solid

ACME Inc. Security 6

understanding of the risks and if the organization has improved, remained steady or declined in

addressing and mitigating the risks. As a part of the periodic review the scope of assessment

must include all aspects of security including physical and personnel security. As a part of the

management control improvements, recommend the assignment of technical writing and system

documentation to a team of personnel consisting of each part of the technical team and a

management team. The team should meet periodically to review the accuracy and depth of the

system documentation. These tasks should be included in his or her job description and

performance review. The documentations must include a detailed drawing of overall logical

system design, each server displayed with IP address, hostname and operating system. The

threat assessment improvements are to address each specific threat individually and determine

the cost and impact to business operations.

Recommendations for operational controls include the scheduling of a review for

background checks. The human resource department and account administrators should

collaborate to ensure accounts are deleted upon a employee’s departure. Another

recommendation is for management review all personnel’s access to sensitive areas. Change

security controls on a regular basis. Another recommendation is the use of offsite storage for

backups, system documentation besides alternate site such as a locker or container in a secure

facility. AMCE Inc. should conduct Disaster Recovery exercises to ensure all personnel have a

solid understanding of their role, what is required and the amount of time to complete the steps.

ACME needs to establish regular Security education and Training (SETA) classes to include

annual information security refreshers for users.

The IR team should conduct more drills to improve on help desk response and users

actions for an incident. These exercises can lead to increased response time and better

communication during an actual incident. Improve on communication with customers and

partners. The company needs to better enforce logical access controls.

References

NIST 800-26 Security SelfAssessment Guide for Information Technology Systems

SANS. Org (1 APR 2003)System Security Plan http://www.sans.org/projects/systemsecurity.php

Whitman, M. E., & Mattord, H. J. (2010). Management of Information Systems (3rd ed.). Boston,

MA: CENGAGE Learning.