Management of Information Security Project
ACME Inc. Security 1
ACME Inc. Security Assessment
ACME Inc. Security 2
ACME Inc. Security Assessment
Introduction and background
ACME Inc. is a mid-size privately held Biotechnology firm that performs research and
development for medical and pharmaceutical companies. 3 friends and former coworkers of a
Forbes Fortune 500 pharmaceutical company founded ACME INC. 12 years ago after seeing the
potential in using their knowledge and experience to develop groundbreaking devices and drug
testing software and equipment. The firm routinely shares information and data with its
customers and partners. This information often contains trade secrets, HIPPA protected patient
information and privacy data. ACME Inc. has noticed recent trends in the penetration, hacking
and compromising of various companies, which resulted in the hiring of more Information
Security personnel to assess the company security posture and implement corrective measures as
needed. The following analysis is a result of the evaluation and assessment of the companies
various controls including management, operational, technical and logical controls.
Management Controls
The assessment first addressed the management controls for ACME Inc. The analysis
found that the risk management assessment was not performed in regular intervals, but rather
when news of a large security breach has occurred in another company or government entity.
The review of the risks is limited in scope and did not evaluate the company as a whole to
include personnel and/or physical issues. The current information system documentation is out of
date and incomplete. The documentation contains only the rudimentary information only the core
services are listed. For example, the Microsoft Domain controller, Exchange mail and web
servers are displayed and listed, but the specific system hostname, IP address and operating
systems are not broken down.
The risk assessment identified threats from nature such as tornadoes, earthquakes and
fires and some man-made threats like administrator and user errors, but does not mention
malicious intent or sabotage. Senior management has been briefed on these threats and risks
from nature, insider and outsiders threat and understand the various risks from each. The
assessment does not address the cost associated with each of the threat sources nor the impact for
each threat and therefore specific controls to mitigate the threats have been identified for each
scenario.
The review of company security controls discovered both positives and negatives during
the assessment. The security controls address the local systems but do not mention the controls to
interconnected systems to the customer and partners. Management has recently taken strides to
implement corrective measures to improve the security controls deficiencies including the hiring
of experienced information security personnel.
A System Security Plan (SSP) “provides an overview of the security requirements of the
system and describe the controls in place or planned, responsibilities and expected behavior of
all individuals who access the system. It should reflect input from various managers with
responsibilities concerning the system, including information owners, the system operator, and
the system security manager.” (SANS, 2003) The ACME Inc. for SSP does not meet this
definition because the plan lacks the inclusion of interconnected systems and that organization’s
ACME Inc. Security 3
security manager. Internal personnel review the SSP on a regular basis and changes are approved
by a majority vote.
Operational Controls
The analysis of the Personnel Security controls found that information security, information
technology and the general users have assigned only the permissions to perform his or her duties.
Because the nature of work and information the company holds the company uses background
checks for personnel in positions that have access to privacy and HIPPA data. The background
checks are limited to National Agency Checks (NAC), which focuses on criminal and law
enforcement data. The review of such background checks is often overlooked and some
personnel have not had a review since the inception of the company. The job functions and scope
of responsibility for workers in secure areas are divided and outlined, but a few key personnel
have access to all areas. All personnel sign a non-disclosure and privacy agreement when hired
and some personnel sign a non-compete clause prevents a worker from working for a competitor
due to their knowledge of the company trade secrets and process. The hiring and termination of
employees include an account process for the creation, issuance and deletion of user accounts,
however the evaluation discovered a few instances where user accounts were not deleted when
the employee left the company. As a part of personnel security controls, ACME Inc. has
developed procedures to hold employees accountable for actions that are considered to be illegal,
violate company core values and acceptable computer use policies.
Analysis of physical security measures discovered positives and negatives practices by
the company. The company uses badges and biometric fingerprint scanners for access to secure
areas that contain trade secrets and confidential information while the other areas use badge
readers with user PIN. These systems are monitored by physical security guards perform random
bag checks for employees entering and leaving the building. All visitors are given badges that
clearly display he or her is a guest and must be escorted. The issuance and revocation of the
badges are a part of the employee in/out processing. Management does not review the list of
personnel with access to the most secure areas on a consistent basis and relies on the individual
managers to ensure workers only have access to areas needed. The review showed that security
codes and combinations are changed, but not often enough to meet with requirement designated
by management. As a part of the physical and environmental controls the company uses
extensive fire suppression system throughout the building, battery backup in case a loss of power
and generator for extended time without commercial power.
Input and output controls consist of a help desk, webpage for user support. Media
controls are used to protect the unauthorized copying, altering and theft of company information.
These controls are audited and maintained by security personnel. Logistics personnel maintain a
record of information systems using a barcode system that tracks vendor, make, model, system
components, location and warranty information. Equipment that contained sensitive information
is degaussed, shredded or destroying while others are sold.
Contingency planning controls address most of the key items. Company critical files and
resources have been identified by management and technical personnel, which need to be
safeguarded. Management has also identified which processes are priorities in the event of
limited capacity. This information has been approved, documented and promulgated to key
personnel for guidance in the event of various situations. Included in the documentation are
detailed instructions on the restoration of core systems or the initialization of the alternate site.
ACME Inc. Security 4
The company does not use offsite storage other than the alternate site. The company occasionally
performs disaster recovery (DR) and contingency plan (CP) exercises to practice what each
person is responsible for in various situations.
Hardware and software maintenance controls include scheduled maintenance for both
items. Software controls are used to prevent unauthorized installation of software and changes in
security. Hardware controls are implemented to prevent users from installing hardware that has
not been approved and requires personnel with access to the system BIOS or network interfaces.
Any software or hardware changes to servers; workstations and networking equipment require an
approved change request that goes through an approval process. Stake owners in the process
represent the configuration change board, so changes are not being made in a vacuum.
The evaluation of ACME Inc.’s Data integrity controls effective measures to secure
information. Symantec Anti-virus (A/V) and host based Intrusion detection (HIDS) software
installed on all servers and workstations in the company. The management server updates the
software several times a week. The server, which downloads updates, virus definitions and
signature, pushes updates to clients. The a/v software is scheduled to scan systems during non-
working hours.
As a part of the operational controls, ACME documentation process is basic, but does
address key items. The documentation includes installation process, vendor documentation.
Network diagram, which will be discussed later on in the assessment. User guides are given to
employees during their in processing. Emergency procedures for weather, fire and other natural
disasters are provided in the employee handbook.
The company has limited security awareness education training program. All employees
receive initial security training, but there is not a requirement to receive additional training.
Information Security and Information Technology personnel receive more advanced training
designed based on their job function. As mentioned earlier all personnel sign acceptable use
agreement forms, which are kept on file.
The company’s Incident Response (IR) team was formed to manage, detect and respond
to incidents per the Incident Response Plan (IRP). The IR team is made up members from
various sections in the technology department the members include help desk technician,
networking technician, systems member and a information security employee. Per the IRP, each
member has specific duties in the event of a possible incident. One issue found in the assessment
is the average help desk employee doesn’t have exact procedures to follow, but general items and
actions including calling the IR team. Another issue discovered is that users surveyed responded
that they were unsure what to do in case of a suspected incident. The IR team has responded to
several false alarms and actual incidents, but the documentation and root cause analysis was not
share with the company management or users. The customers and partner companies were not
consistently notified and sometimes not given the specific cause after initial notification. The
process for modifying the incident and controls techniques is clearly defined and the IR team
routinely meets to discuss its effectiveness. Incidents are not typically shared with law
enforcement agencies, but management is open to the concept.
Technical Controls
The identification and authentications controls used by ACME Inc. are characteristic of a
Biotechnology company. All users are authenticated using smart cards and a pin linked the their
active directory account. The smart card has the user’s PKI certificate that is associated to their
ACME Inc. Security 5
account. The PKI certs are also used to digitally sign emails and adobe documents and access
MS SharePoint pages. Guest access uses temporary smart cards in exchange for a valid
government id to ensure the return of the smart card. The card is reset upon turn in and all access
to systems is removed. Although smart cards are used users are still required to change
passwords every 60 days and meet complexity requirements. Users that have not logged in
within 30 days have their account disabled and after 45 days the account is deleted unless the
users has arranged otherwise. A weekly list of accounts is verified for any of the previous
conditions are met. Passwords and PINs are not displayed when a user logs in to prevent another
person from seeing their data. In case of a compromised password, the account is disabled and
another account is created with a new password. Users request a password reset will be required
to visit the help desk and will not be given over the phone. In addition to user passwords, vendor
passwords and service accounts are required to meet complexity requirements and changed
regularly. The list of service accounts are kept in a safe with a list of personnel who have access
and signed for the account. Access to these accounts is limited to system administrators and
security personnel. Users and administrators are required to remove their smart card when
leaving the workstation or server.
Logical access control evaluation resulted in the following findings. Users access to
systems and information is limited to their job requirements and responsibilities, however no
Controls are in place to track access and enforce the limitation. Security and certain systems
administrators are the only employees that can manage security software. Other logical access
control that is encryption for the web servers that use Secure Socket Layer with a certificate by
VeriSign and active directory for internal only systems. Documents that contain privacy, HIPPA,
confidential or sensitive information are required to be labeled as such. Network access is limited
to secure means such as Secure Shell (SSH v3) and directly to the local console, access is logged
whether it is local or remote. Assessment did not find any unsecure protocols used by the
organization. Remote access is available to servers and networking equipment only by certain IP
address ranges, but session limits were not enabled. There are no trusts with other domains
between ACME Inc. and other companies. All users are required to consent to a logon banner
restating acceptable use rules. Privacy statement is available on the company website. The
company uses CISCO for network firewalls to safeguard its information systems and a proxy
server for the company website.
The final logical control as a part of the assessment is a review of the company auditing
procedures. Access to documents that contain privacy, HIPPA, confidential or sensitive
information are audited and logged. These logs are kept for historical purposes and to support
investigations into illegal or fraudulent activity. Only security administrators and key system
administrators have access to the security and audit logs. These logs are reviewed by both
security and systems personnel on a daily basis for traces of intrusion or activities. In case of
suspicious activity, either the system administrator or a security administrator depending on the
system investigates the incident.
Recommendations
This section will recommend actions based on the evaluation and analysis of ACME Inc.
with regard to management, operational, technical and logical controls. The recommendations
for management controls include the implementation of scheduled risk assessments on a
quarterly basis. This schedule will provide both the technical team and management a solid
ACME Inc. Security 6
understanding of the risks and if the organization has improved, remained steady or declined in
addressing and mitigating the risks. As a part of the periodic review the scope of assessment
must include all aspects of security including physical and personnel security. As a part of the
management control improvements, recommend the assignment of technical writing and system
documentation to a team of personnel consisting of each part of the technical team and a
management team. The team should meet periodically to review the accuracy and depth of the
system documentation. These tasks should be included in his or her job description and
performance review. The documentations must include a detailed drawing of overall logical
system design, each server displayed with IP address, hostname and operating system. The
threat assessment improvements are to address each specific threat individually and determine
the cost and impact to business operations.
Recommendations for operational controls include the scheduling of a review for
background checks. The human resource department and account administrators should
collaborate to ensure accounts are deleted upon a employee’s departure. Another
recommendation is for management review all personnel’s access to sensitive areas. Change
security controls on a regular basis. Another recommendation is the use of offsite storage for
backups, system documentation besides alternate site such as a locker or container in a secure
facility. AMCE Inc. should conduct Disaster Recovery exercises to ensure all personnel have a
solid understanding of their role, what is required and the amount of time to complete the steps.
ACME needs to establish regular Security education and Training (SETA) classes to include
annual information security refreshers for users.
The IR team should conduct more drills to improve on help desk response and users
actions for an incident. These exercises can lead to increased response time and better
communication during an actual incident. Improve on communication with customers and
partners. The company needs to better enforce logical access controls.
References
NIST 800-26 Security SelfAssessment Guide for Information Technology Systems
SANS. Org (1 APR 2003)System Security Plan http://www.sans.org/projects/systemsecurity.php
Whitman, M. E., & Mattord, H. J. (2010). Management of Information Systems (3rd ed.). Boston,
MA: CENGAGE Learning.