Information Security Master Plan (Be Sure to Read All Content - Case Study with
ID: 3857390 • Letter: I
Question
Information Security Master Plan (Be Sure to Read All Content - Case Study with ALL Info Below)
Instructions - complete in 300-400 words to the fullest response
Risk Management
For several of your resources, identified in the case study, which you identify as being at risk, identify particular controls to try and deal with an identified risk.
Imagine that your [fictitious] organization has limited resources to address several of your resources that you have identified as being at risk.
Go through a selection of your risk assessments and decide which is the best of the following approaches and explain why:
Avoidance*
Transference
Mitigation
Acceptance
*If you choose avoidance, how would you do this?
Case Study
Scenario 1.0 Details of organisation
Staffing : 500+ staff in various departments
Building :
Basement - Carpark / Security Office / Loading & Unloading bay
Ground Level - Reception
Level 1 - Building maintenance / Training room / R&D
Level 2 - General Administration / Human Resource / Finance
Level 3 - Sales / Software and technical support
Level 4 - Information Technology / Server room
Level 5 - Data Center / Seismic Exploration
Roof - Air-conditioner cooling towers, water tanks
Key Personnel :
CEO
Chief Security Officer
Chief Information Technology Officer
Director Sales & Product
Division Head - Research and Development
Division Head - Software
Division Head - Data Processing
Division Head - Service and Technical Support
Director - Back Office : Manager Building and Maintenance
Manager Officer Administration : Manager Finance
Manager Human Resource
Manager Legal Department
Legal Officer
2.0 Company Background
The company is a mid size software company specialising in developing software and hardware for the oil and gas industry as well as providing services to oil and gas companies in processing seismic data to assist in locating new oil and gas fields. (Background reading: http://www.answers.com/topic/seismic-explorationfor-oil-andgas)
2.1 Monitoring Software
* SensorDrill - Software and hardware used to monitor the drilling of oil and gas wells MeasureMe - Software and hardware package used to monitor the pumping of oil and gas
2.2 Services
* Provide services in processing and interpreting collected seismic data using internally developed software (Shake and Quake). * NOTE 1. SensorDrill and MeasureMe software are licensed to the client for their own use 2. Shake and Quake software not licensed for client use, client provides seismic data and the organisation will process the data, format it into human readable form (e.g., graphs, charts, reports) and then provide the client with a completed report
3.0 Market Information
The company currently holds about 40% of the market share in the oil and gas monitoring software market. Their nearest and biggest competitor is Another Company Pty Ltd who also holds about 40% of the market share. The competitor provides the same Seismic processing services to the oil and gas industry and their version of the monitoring software has roughly the same functionality as the company's versions. The other 20% of the market is held by several smaller independent software firms providing either monitoring software or Seismic processing services but not both. Generally speaking, these companies do not pose a serious threat to your company or to the competitor as the service they provide are not as comprehensive nor do their software have the same wide range of functionality.
4.0 Research and Development
4.1 Project 1
The company is currently working on several R&D projects that may allow them to overtake their primary competitor in terms of market share. A major upgrade to both the monitoring software is expected to be released in around 6 months time. This upgrade provides real time remote monitoring of the drilling and pumping process via satellite or landlines. Remote monitoring is a function frequently requested by clients but nobody has been able to provide that function reliably in their software yet. This project is currently in close beta testing stage but the company believes it will be able to start limited field tests in a month's time. Some of their larger clients will be given the opportunity to test the prototype in a parallel run scenario and feedback will be obtained to perform fine-tuning of the software. The company believes that they have the problem licked with their custom design chip/software. They forecasted that they can gain an additional 10% (around $100 million) of the market at the expense of their competitor. This project is considered top secret as the company believes that their competitors are nowhere near having a similar product and estimates that they will have a technology lead against their competitor for at least 2 years, provided their competitors are caught unaware at release date.
4.2 Project 2
The company is also working on software that will allow their data processing software to speed up data processing by distributing the data processing between many different servers. It is anticipated that a typical job can be completed about 30% faster, which not only reduces the time getting a report back to the client, but also increases the number of jobs that can be completed within the same period. It is projected that if the project is successful, an additional $30 million in revenue can be generated from the increase annually. This project is currently in alpha testing stage and is around 12 months away from completion. The company suspects that their primary competitor is also working on something very similar at the moment and believes that they (the competitor) are very close to having a fully functional product (within 2 months). This project will involve some infrastructure upgrade as additional network cables need to be laid to provide for the increased bandwidth required between existing servers as well as provide for additional servers. It is also anticipated that an additional 10 servers / workstations will be required as well as a new highspeed network switch.
5.0 Contractors and Vendors
The company uses sub-contractors to meet some of their work force needs as well as to provide contracted services. Clean and Mean Pty Ltd Providers of cleaning services to the organization Two (2) cleaners during office hours to keep the environment clean, for example keeping the toilet clean through the day, cleaning the pantry or to provide general cleaning services as required Four (4) cleaners after office hours to keep the office clean, general cleaning, wipe tables, vacuum floor, clean meeting rooms, etc. Computex Pty Ltd Contractors providing network infrastructure services, e.g. laying network cables, network points, etc. Work mainly after office hours or on weekends to minimise disruption to daily operations Printmaster Pty Ltd Supplier of photocopier and printers to the organization Responsible for maintenance of copiers and printers Monthly maintenance of copiers and printers by technician every 1st Wednesday of the Month Ad hoc maintenance and repair as required PeopleRus Human Resource Pty Ltd Employment agencies used by the organisation to provide permanent and temporary placement of staff within the organization The organisation used short-term contract staff extensively to meet temporary staffing requirements for the various departments. Example, to cater for staff going on extended leave or to meet temporary increase in workload. Contract staff will be assigned to various departments and given the same access as permanent staff in similar roles. Hungerbuster Pty Ltd Vendor providing food and drinks to the vending machines located in various locations in the company. Also provide food and drinks for meetings and functions as required
6.0 Physical Security
Entry to the organisation is either via the main entrance on the ground level or via the car park entrance in the basement. There are 2 fire exits with one-way door (i.e. can only be opened from the inside) and these doors are armed to set off the fire alarm if they are open. Access to the upper level of the company is via the passenger lifts, cargo lift or by climbing the stairs. Signs near the main entrance as well as near the lifts in the basement direct all visitors to the reception desk on the ground level. All visitors are required to sign in and a visitor's badge will be issued to them. Visitors will be escorted into the company premises by the person they are meeting, but are not escorted out when they leave. The passenger lifts operates 24/7 and the door to the stair well is not lock. Vendors and contractors will use the cargo lift to gain access to the upper levels for deliveries. Vendors and contractors are required to obtain a contractor badge but are not escorted in or out. The cargo lift normally only operates during normal office hours, but after hours use can be arranged with the security office if the need arises. In the upper levels, there is a set of doors leading from the lift lobby (see layout) to the office area. These doors are kept open during office hours and the last person to leave at the end of the workday is responsible for locking them up. The company uses an open plan office layout and staffs have their own cubicle. Upper management staff have their own individual offices.
7.0 IT Infrastructure
7.1 Server Room
There is a server room that houses the company's servers as well as networking equipment. The server room is air-conditioned and the temperature and humidity is monitored for optimal equipment performance. The server room is not locked during office hours, to facilitate easy access for IT staff. The last person to leave at the end of the day is responsible for locking up.
7.2 Wiring Closet
There is a wiring closet on each of the upper levels and contains router and switches. All computers, network printers and photocopiers are connected to the switch and routers on their level. The switches and routers on each level in turn connect to the core routers located in the server room via vertical cable runs that runs from the basement to the top most floor. For redundancy, there is a primary cable as well as a secondary (backup) cable connecting each floor to the server room. The company uses Lake Side ISP as their Internet Service Provider and the cables from the ISP enters the building via a cable conduit on the ground level (see layout). The cable from the ISP then runs vertically up the conduit into the server room. Due to their size and location, the wiring closets are not air-conditioned. The wiring closets are normally left unlocked to allow easy access by IT staff.
7.3 Data Processing
The seismic data processing department runs their own servers and workstations. It is housed in the data processing room and is separate from the main server room. The data processing room is air-conditioned and the temperature and humidity monitored. Client data are backed up on tapes and the tapes are house inside the data processing room on open racks that line the walls. Due to the sensitive nature of the client's data, the door to the data processing room is normally kept locked. Only authorized personnel are allowed into the data processing room.
8.0 IT Security
8.1 Client PC
All client computers (desktops and laptops) runs off a standardized operating system image. All client computers have the MacAlfie antivirus software installed and the operating system's firewall software is turned on by default. In addition, all clients computers comes complete with MsOutlook email client as well as MsOffice. Department specific software are installed separately as required. Automatic OS patching is turn off by default to prevent new patches from creating compatibility problem(s) with existing software. Back office staffs are issued with Dell Optiplex 360 desktop running the Windows XP operating system. Sales and IT staff, as well as all managers are issued with Dell E4300 laptops running the Windows XP operating system. The software, R&D, support and training business unit uses a mixture of Dell Precision desktop and laptops. A variety of operating system such as Windows XP, Vista, Server 2000, 2003, 2008 as well as Linux variants such as Ubuntu and Red Hat Enterprise. Virtual machines are used extensively in the R&D business unit for application development.
8.2 Servers
The Domain controller server runs on Windows 2003 server while the File and Print server, and the Web server runs on Windows 2000 server. The organisation uses HP ProLiant G5 and G6 servers, rack mounted with raid 5 hard drive redundancy. All servers are protected with the server version of the MacAlfie antivirus software as well as the BlueIce firewall software. Automatic software patching is also disabled and new patches are only applied after being tested for compatibility on a test server. All servers are also loaded with the Symantec Backup exec software that backup all data to a HP 1/8 G2 Tape Autoloader. The data processing business unit uses IBM blade centers running a customised Linux based operating system for data processing. To ensure stability, the kernel and systems application are rarely updated. The data processing business unit runs their own separate backup on a HP 1/8 G2 Tape Loader.
8.3 IT Policies
When new staff joins the company, a user account and password will be created for them. All new users are told that they should no share their user account and to keep their password secret. They are also encouraged not to write down their password in clear text and to change their password periodically.
Explanation / Answer
Managing the risk is very important factor for every organization. The following gives different ways to manage the risk.
Risk acceptance:
If the risk is small, that means it doesn’t show much impact on the organization, accept the risk into organization without taking any action against on it.
Risk avoidance:
If a risk shows more impact on the organization, that type of risks must be avoided by changing the plans and schedules of the organization.
Risk transference:
It is applies to common risks in the project like code errors, organization should transfer the risk from management to others like contractors or outside venders.
Risk mitigation:
If the risk is small and very common, organization mitigates it by gives training and awareness to the employees in the organization. That means, the risk created by employees misunderstanding and lack of awareness.
Scenario 1:
Staffing, building and key personnel are perfect. No risk is identified in this scenario.
Scenario 2:
In scenario 2.0, it just describes the background of the company how it works and hoe it provides services to other oil and gas companies. In scenario 2.1 it describes about software used for processing and monitoring the oil and gas wells.
If any type of risk occurred in measureme software, accept the risk first, because measureme software records the measurement of all data for oil and gas. To manage this risk, first organization accepts it and modifies it by re-verifying all records.
Hence, risk acceptance is used here to manage the risk.
In scenario 2.2, it processes and interprets the gathered information from the internal software. Shake and earth quake software is not licensed, it just receive the data from clients and processing it into readable form.
Therefore if any risk occurred, it must be accepted and rectified.
Scenario 3:
It gives the information about market share in the oil and gas industry. Which companies are big competitors and which are small. Since, no risk matter here.
Scenario 4:
It is research and development scenario, many modifications and new developments are done here. Therefore chance to occurrence of risk is more. In scenario 4.1, a new product which works real time remote monitoring of the drilling and pumping process via satellites. Clients also provide prototype to run this so that, changes can be made based on the feedback of prototype. This type of new product is not known to competitors and if they try to develop same product it will take minimum 2 years. Therefore, the organization can able to get 10% share in the market with the new product.
The chip/software works properly in developing product, it is good. Otherwise the risk must be mitigated, because it can be solved within the organization.
In scenario 4.2, the data processing is distributed different servers in the company to speed up the process. The risk occurred here is, if any one of servers is not worked properly, the work will be assigned other servers.
Therefore, the risk is managed by transferring to other serves.
Scenario 5:
It deals with contractors and vendors who will provide their services to organization like cleaning, maintenance and food etc. if any type of risk occurred due to this, it must be avoided, because organization pays money to contractors. If any risk occurs, it will results financial loss. Since, organization avoids this risk and appoints another contractors and vendors to work properly.
Scenario 6:
It deals with physical security such as doors, locks, fire alarms and usage of lifts separate for employees and others. If any type of risk occurred in security, it will results big damage to the company.
If a short circuit is formed and lifts are not worked, it must be accepted and no further action will be done, because one way door and stair case are available for this type of risks.
Scenario 7:
It deals with server room, wiring closet and data processing infrastructure. The risk occurred in this infrastructure are functioning of printers and other network devices improperly. It is a not a big damage to organization. It can mitigate by using new network devices.
Scenario 8:
It deals with IT security in clients and servers and also describes the policies of IT company. All PC’s in client and server uses antivirus software and well functioned operating systems. Automatic upgradation of OS patches also TURNOFF in order to avoid the risk involved with compatibility. It can be done by enabling, to upgrade the patches based on the requirement.
A risk is occurred due to unwanted download of any software, because license of antivirus may be completed. It can be avoided by purchasing new antivirus software programs.
If an unauthorized person enters into organization by stolen the password of authorized one, it can be mitigated by providing awareness about IT policies.
Therefore, all risk mitigation strategies are used to manage the risk in various scenarios which are mentioned above.