Advances in IT and Benefits of System Security - Assignment Example

SGA478A SYSTEMS SECURITY Name Date Table of Contents Table of Contents 1 Activity 1a: Background 3 Activity 1b: Target Organization 3 Activity 2a: Risks Identified 3 Activity 2b): Threats Identified 4 Activity 2c): Applicable Legislation 4 Activity 3a): Upgrading the System 5 Activity 3b): What needs to be protected? 5 Activity 3c): MIC’s Current Security Issues to be updated 6 Activity 3d): Barriers to system security 6 Activity 4a): System Attackers 7 7 Activity 4b): Existing Vulnerabilities 7 Activity 4C): Existing threats to the Organization of the project 8 Activity 4d): Risks relevant to the project organization 8 Activity 4e): Risk Management Solution 8 Activity 6a): Cost effective measures to prevent threats 9 Activity 6c): Disaster Recovery Plan 10 Activity 7a): Relevance of the Management Continuum 11 Activity 7b): Security Resource Management Issues 11 Activity 7c): Security Education and Training Requirements 11 Activity 7d): Identify relevant security partners 12 Activity 8a): Relevance of Planning Theory to Security Planning 12 Activity 8b): Development of a Security Standards Checklist 13 Activity 8c): Principles for Technical Security planning 13 Activity 9a): Current System Security Analysis 14 Activity 9b): Relevant Statutory Requirements 14 Activity 9c): Baseline Project Plan 15 Activity 9d): Internal Stakeholders requirements for the Security Regime 15 Activity 9e): External Stakeholders requirements for the Security Regime 16 Activity 11a): Relevant Industry Standards 16 Activity 11b): Security Products and Vendors 16 Activity 12a): Operational Security Requirements 17 Activity 12b): The Broad Objectives 17 Activity 13a): Input into the Security Project 17 Activity 13b): Guidelines for the Security Strategy 18 Activity 13b): Use of the Balanced Scorecard Methodology 18 Activity 14b): The Security Strategy 19 Activity 14c): Assimilate feedback and guidance 19 Activity 14d): User and Data security Hierarchies 20 Activity 14e): Security data views and access paths 20 Activity 16b): Appropriate Control Mechanisms 21 Activity 17a): The current and new Environments with their Controls 21 Activity 17b): New Procedures for Controlling Security Provisions 22 Activity 18a): Internal and External Stakeholders’ Needs 22 Activity 18b): Document the Implementation Strategy 22 Activity 19a): Audit Principles and their relevance to security planning 23 Activity 19b): Relevant Audit Mechanism 23 Activity 9c): Response Principles 23 Activity 9d): Appropriate Response Mechanisms 24 Activity 20a): Technology Needs 24 Activity 20b): Constrains in implementing the new technology 24 Activity 22a): Existing Protection 25 Activity 23a): Net Protection and Detection Technologies 25 Activity 24a): Technology Fixes 25 Activity 25a): Results of the Evaluation Process 25 Activity 26a): Impact of the results upon the security strategy and the implementation process 26 Activity 27a): Installation of the Approved Equipment 26 Activity 28a): Installation of Approved Equipment 26 Activity 28b): Documentation of Approved Equipment 27 Activity 29a): Issues to be presented from the Project 27 Activity 29b): Outcomes 27 Activity 29c): Learning Unit Summary 27 References 29 Activity 1a: Background Rapid and spectacular advances seen in Information Technology have offered incredible benefits to the concerns of system security. Nevertheless, they have also resulted in considerable unprecedented risk to operations of businesses and organizations. The government, owners, clients and staff of these organizations depend on the system security measures taken by the organization to avoid data loss, to gain access to the system, prevent exposure of sensitive information and disruption of important operations. It is expected that these risks will escalate with the continued emergence of wireless and other technologies. Company auditors need to evaluate the system security and give recommendations on how the risks can be reduced while maintaining the efficiency of the company. Activity 1b: Target Organization The Meadow Insurance Company Limited (MIC) is still operating in an old technology environment of the 1980’s. It has neither WANs nor LANs, just 3270 color terminals linked to the Support servers. MIC has recently acquired a different insurance company which also runs on the MIC server. The company’s security system provides access for outsiders to do online applications with little or no provision to the control of accessibility by these outsiders. Activity 2a: Risks Identified As part of the IT support team, I am supposed to perform an assessment and mitigation of the weaknesses found during the analysis to ensure that the system and the information are adequately secured (NIST, 2001, p1). From the current situation, the risks involved include: a) lack of efficiency, appropriate confidentiality, integrity and availability of information; b) misuse, modification and unauthorized access to the company’s information; c) Harmful loss of important information. Activity 2b): Threats Identified The identified threats involved in the system security at this point were both internal and external threats: Lack of a centralized security department No security policies, procedures and standards Espionage where information in the wrong hands can do a lot of damage due to lack of a facility that changes passwords. There is also lack of a facility that locks out unsuccessful password attempts after they exceed a certain number. Print out of files can be done by any programmer since account IDs and passwords are no encrypted in the security file available online. Data can be easily accessed, deleted or updated by outsiders with programming experience due to lack of protection objects to lock out outsiders. Licensed insurance agencies which conduct business with MIC easily access the online application with the use of the 3270 terminal because passwords don’t expire. Security guidelines, procedures, standards and processes have not been documented. Activity 2c): Applicable Legislation A number of federal rules, laws and directives have been put in place to address the information security subject. This legislation doesn’t only apply to federal agencies but also to companies that contain information used for federal purposes. This includes all local and state agencies getting funds from the federal governments. Such laws and regulations include those outlined in the 107th Congress. The HR 1017 Anti-Spamming Act of 2001 is an example of a rule that restricts unwanted e-mails called “spam” from being allowed into people’s mail boxes. Another law is the HR 347, is the Consumer Privacy and Disclosure Act that requires organizations to protect the privacy of the information about individuals on the internet so that individual control, can be obtained over the available information on the internet (Federal Information System Controls Audit Manual, 1999). Activity 3a): Upgrading the System We will develop a technology with w fresh initiative to upgrade the mainframe system. This includes utilities to use the recent sever operating systems and hardware that will ensure quality system security for MIC. This will involve coming up with a network that with remote access to the organization’s LAN. This will benefit the staff, employees, clients and the federal government. Activity 3b): What needs to be protected? Information will be protected when being stored and when being transferred over public or private networks. The intensity of protection increases with the level of sensitivity the information. What is to be protected is: 1. User Accounts 2. Organizational data: e.g. HR information from being accessed by the employees. 3. Group Accounts and information 4. Event Logging 5. Client information 6. Staff personal information. 7. Organization transactions 8. Online transmission operations. Activity 3c): MIC’s Current Security Issues to be updated We are coming with a project plan that will identify areas that need improvement, allocate resources and ensure certain issues are addressed. The extent to which this upgrading will go includes coming up with new data sets (create different databases for the different groups e.g. Staff, Clients, e.t.c), making an record of information property, coming with new groups and granting permission for access to different groups depending on the information they are supposed to access. Activity 3d): Barriers to system security The main barriers to security identified at MIC are: Decentralized IT system that is managed and maintained at different levels resulting in significant security problems. Decentralized Accountability where the insurance company’s open environment is shared with no accountability for the system security. Allocation of Resources: The IT department is underfunded and lacks adequate staff to properly secure the system. Cover-up and ignorance To combat these weaknesses, the Organization needs to: 1. Come up with a funding mechanism to sustain the system security efforts 2. Develop a training program for all Server and System Administrators. 3. Come up with secure pilot software that will ensure that the system is managed from a central place. Activity 4a): System Attackers The MIC system security is usually attacked by people who attempt to access the system with the use of the security hole. They have been identified to be of three categories: Masqueraders, Misfeasors and Clandestine users (Sprouse, 1992). They can attack the System I a manner than a virus attacks a system as shown in the figure below. Activity 4b): Existing Vulnerabilities The risk assessment revealed some of the risks to which MIC is exposed to. Therefore, the organization is vulnerable to: Implicit Trust Configuration errors Carelessness by the system administrators Activity 4C): Existing threats to the Organization of the project Payroll errors and fraud, Unauthorized access to data by outsiders Disclosure of confidential information by Staff to competitors Interruption of operations Brokering of client and staff personal information Activity 4d): Risks relevant to the project organization The MIC security System risk analysis showed that many aspects of the continuity of operation of the organization are at risk. The system administration personnel are totally unaware of their responsibilities of the task assigned to them. The MIC system requires annual update of its operational plans in order to resume activities of any other agency that they might take over in future. The virus prevention procedures are sound but they are not being followed. Loss of time and attendance data is on the rise. Activity 4e): Risk Management Solution Security system management and risk management are a vital part of the information security management in an organization and should be met through; 1. Have centralized security: A security manager should be hired to handle the security aspects of the system. 2. Using Stronger verification token to come up with passwords that cannot be use by intruders in successive sessions. 3. Security standards and procedures should be documented. 4. Offer incentives to those who comply with the security guidelines and procedures especially where payroll errors are concerned. 5. Develop internal training programs that will make sure the system administration personnel and staff know their responsibilities as far as system security is concerned.\ 6. Construct functional groups and give them access to user accounts appropriately. Activity 6a): Cost effective measures to prevent threats Obfuscation: securing publicly available information through encryption, packet stuffing, shielding or public key cryptography. Authorization and Authentication measures that ensures that a system or a person claiming an identity is the owner of that identity. Observing system vulnerabilities through monitoring and auditing to detect attacks. Consistently updating and changing passwords and software. Equipping the system designers, administrators and users with a wide knowledge of system security risks and how to enforce this knowledge. Activity 6c): Disaster Recovery Plan The disaster recovery plan follows the following steps: Step 1: Risk Analysis Step 2: Establishment of the Budget Step 3: Plan Development Step 4: Set the Plan and test it frequently Activity 7a): Relevance of the Management Continuum The ultimate success and application lies with the senior management of MIC who will establish the system security program, it goals, priorities and goals that that drives the system security of MIC. The goals and objectives will then be taken up by the support management that will come up with the upgraded system and manage it on a day-to-day basis. This group is also responsible for analyzing the new LAN upgrading project at each phase and assesses its performance in all the relevant elements of the system security program as well as the external environment. Activity 7b): Security Resource Management Issues The system security resources refer all the assets that are used to come up with an integral quality security system program. Some of the security resources to be used include: Back up storage devices like external hard disks and high capacity magnetic tapes Powerful and efficient server operating systems like the Windows 2008 server environment Secure data transfer systems Secure databases for information storage on staff and clients Updated anti-virus programs Passwords, passes and identity cards for the staff. Activity 7c): Security Education and Training Requirements MIC will be required to train different groups on the use of the upgraded security system: Clients: The online applicant will need to be trained on how use the online main menu, use of user ID and passwords to access the information on the MIC website. Employees: Will be trained on the procedures of signing for and selecting new passwords that have to be changed periodically. Programming Staff: they will be trained on how to use the new upgraded LAN to test inventory programs to ensure the system operates without major hitches. Activity 7d): Identify relevant security partners The security partners relevant to the upgrade of the MIC system security include: MacAfee Norment Security Partners Global Security Alliance IBM Eurosec IT security consultants NetContinuum company LTD Activity 8a): Relevance of Planning Theory to Security Planning To fit into the system security planning theory, the upgraded system plan will give an outline of the requirements and give a description of the controls put in place, expected responsibilities and behaviors of all people who have access to the system. The upgraded system will act as a core constituent of the DITSCAP. The plan documents the structure of the planning process and its cost. It shows the input of the different managerial responsibilities about the system including information on employees, staff, clients, owners, system operators and the system managers. It also has additional information from the basic plan about the structure and format of the organization. Activity 8b): Development of a Security Standards Checklist The new MIC system security will be developed to meet the following standards: Prohibition of certain devices Preserving the security integrity Personal Time-Shifting Copies Cannot Be Restricted or Blocked Security system standards; reliability, renewability, resistance to attack, ease of implementation, modularity and applicability to multiple technology platforms. Activity 8c): Principles for Technical Security planning The relevance of the Security planning project is geared at improving the system security at MIC and is tied to it mission that operates of the following Technical Security Planning Principles: To preserve the privacy and the confidentiality of information Implement an efficient network that allows for integrity and availability of information. Establishing an effective Network Access system. Minimizing unauthorized access to data and information. Deploying a better disaster management plan that will address issues of data disclosure, alteration, loss and destruction. Establishing a better management for the Wireless Networking Security System. Facilitating a more secure connection and accessibility to data by outsiders. Protection of data damage by installing security software. Activity 9a): Current System Security Analysis The practicality of the MIC network system is the company’s migration to a modern LAT system that is intended to provide security to the information on the system. The current system is an old online network security system that uses just one mechanism of controlling the access to corporate data and information available on the network. The exposures of the data are severe with no integrity controls to data released to the environment outside the network. Activity 9b): Relevant Statutory Requirements An upgraded system security for MIC will require many factors that will ensure that the system runs successfully. The statutory requirements include: Computer security and privacy plans System-Specific Security Policy Management controls Stable Resource base Availability of a public vision and mission statement Compliance program Liaison with external groups Activity 9c): Baseline Project Plan A baseline project plan is developed that involves risk analysis, resource allocation and ensure that goals are met. The process of coming up with the upgraded LAN system for MIC also includes creation inventory for the information assets, making new objects (hierarchical datasets), creating new groups and granting them the necessary access to the permissible objects. A training program is the developed to train the users on how to use the upgraded system in both the batch and interactive more. The trainers will however be trained in mini boot camps who will in turn mentor and tutor the user community. Recruitment of new staff from all the departments in the organization will ensure that the toll out process is well supported. The rollout will be done noting any hitches that will be mitigated to meet the expectations of the external and internal auditors. Activity 9d): Internal Stakeholders requirements for the Security Regime The issue of the system security will be the responsibility of everyone in the organization and the internal Stakeholders will be required to: Establishment of the computer security program for the organization Setting the LAN’s objectives, goals and priorities. Directing the day-to-day management of the system security program Procurement and payroll to support the system security program Providing security and data controls Handling errors Controlling data Protection of personal information Disaster recovery plan Quality assurance Activity 9e): External Stakeholders requirements for the Security Regime Ensure data and information protection Endure availability and integrity of data and information Following system security procedures Report any security problems Conducting safe access to the system Activity 11a): Relevant Industry Standards The following is an identified gallery of relevant LAN standards for the MIC system security upgrading project: 1. IEEE 802.11 which requires one MAC protocol for every 3 physical layers  2. 802.11-b and 802.11-a (802.11 at 5 GHz) that requires increased speed to save on costs 3. HiperLAN requires a devoted bandwidth of 5.1 to 5.3 GHz 4. HiperLAN II is based on based on OFDM modulation 5. HomeRF & SWAP 6. BlueTooth Activity 11b): Security Products and Vendors The security vendors and their products relevant to this project are: 1. NOD 32 Version 7 2. Kroll Ontrack for identifying security Vulnerabilities and Risks 3. Cisco for system security Auditing 4. GFI Webmonitor for employee productivity, monitoring and filtering downloaded material 5. Intel® Core™ vPro™ for provision of firewall hardware Activity 12a): Operational Security Requirements The identified Security requirement is the Resource Access Control Facility that will ensures: Identity and verification of users Authorizing and permitting users to access the protected resources Reporting and recording access attempts by the users Activity 12b): The Broad Objectives The main objective of the security system upgrading project is to inject the fresh technology to improve the server platform and upgrade the security system of the organization. The aim is to use the current network hardware and operating systems including the current operating systems for server environments. Activity 13a): Input into the Security Project The success of upgrading the MIC system security will depend on the input that will take place which includes: Resource Access Control Facility Summary of the security program Analyzing the security reports Processing the Resource Access Control Facility Policy violation reporting Legality of the online security Activity 13b): Guidelines for the Security Strategy User identification and verification Naming convention to identify user accounts Password parameters that meet the suggested national standards Inventory of the existing information objects Identification of individuals who need access to data objects and classify them in groups Training of the users Monitoring the way event occur on the system network Activity 13b): Use of the Balanced Scorecard Methodology The Balanced scorecard methodology will be used to present the goals and the objectives of the upgraded system into mission, strategy, practical activities and the evaluation. The mission statement of the project is to protect the integrity, confidentiality and the availability of the information to all users while minimizing the cases of unauthorized alteration, addition, destruction and disclosure of data. The strategy will increase in data protection using the current data protection facilities in the market and the practical activities will be the actual set-up and rollout of the upgraded LAN. The evaluation will include quantification of users’ suggestions and client surveys by the internal and external system security auditors to identify the KPIs (Key Performance Indicators). Activity 14b): The Security Strategy The security system strategy employed is both proactive and reactive emphasizing on the enabling of services to drive change in the organization’s system security. The strategy will be driven by the business strategy is maintained by both the organizational analysts and the IT specialists as shown below: Activity 14c): Assimilate feedback and guidance Feedback and guidance from the various stakeholders will be assimilated back to the upgrading plan in order to continuously improve the services delivery of the system security by: Reviewing the reporting lines of the network services within MIC Management structure Producing the updated system security policy Develop tools for incident management, disaster recovery and change management Implement the system security management plan Monitor the performance of the system Activity 14d): User and Data security Hierarchies The user and the data security hierarchies will take the following model The detailed connections between the users and the data security groups are likely to vary and will be decided on when the plan is implemented. Activity 14e): Security data views and access paths The following SQL Model shows the data access in a secure mode that selects data using a query depending on the group of the user wishing to view the data. The system then looks up the information online upon the authentication of the use after they log in. The user then views the data in a structure that will not reveal it to the next or concurrent user. Activity 16b): Appropriate Control Mechanisms A control mechanism using the RACF will monitor the system and record any suspicious activity to: Ensure that only authorized individuals access the system Record any failures to access the system Record all uses of emergency accounts used to fix problems when using the system Record all failures to sign-in Activity 17a): The current and new Environments with their Controls The old current system is running in a very old technology with no LAN which is linked to a coax mainframe. The system provides access control to all online applications with little or no provision to access controls from outside the environment. The new system will use server environments, latest operating and security systems to replace the old system. Activity 17b): New Procedures for Controlling Security Provisions The current system has no reliable provisions for security control however the upgraded LAN as the following provisions for Security control; Executing the network firewall Installing new security updates Continuous changing of passwords Secure access control Having backups for network servers Activity 18a): Internal and External Stakeholders’ Needs To implement the new security regime, the internal and external stakeholders need: 1. User accounts with verifiable usernames and passwords 2. User Groups and their codes 3. Working rooms 4. Training on the use of the upgraded LAN 5. Understand the procedure o accessing data on the system Activity 18b): Document the Implementation Strategy The implementation strategy will be a step-by-step process that will first take place in a room fitted with around 10 personal computers and telephone lines. The replacement process will then take place with the terminal PCs running on a terminal simulation program to communicate with the central server via the upgraded LAN. This room will act as the office assistant during and after the replacement and will be staffed with people from different technical departments. They will guide the users through accessing the information on the new system and problems tracking method is implemented from this room during the replacement period. Activity 19a): Audit Principles and their relevance to security planning The following are the principles of auditing relevant to this security planning: Assessment Prevention Detection Reaction Recovery Activity 19b): Relevant Audit Mechanism The audit mechanisms will involve comparison of the system security against: MIC’s own security policy and security baselines Compliance to the regulatory standards such as NIST 800 and ISO 27002 Frameworks of governance like COBIT and COSO. Activity 9c): Response Principles After auditing is done, the System Management in the organization will always respond according to the following principles: Monitoring major performance indicators Reviewing the performance of the system Assessing critical success factors Evaluation of the system security Preparation of progress reports Activity 9d): Appropriate Response Mechanisms The response mechanism will require the stakeholders involved to present their response criteria in form of a report according to the company policies. After the response mechanism is documented, the officer in charge will see to it that the response follows the audit procedures and whenever any upgrade or change needs to be made is done on time. The reports will then be kept by the internal auditor and the system manager for the record. Activity 20a): Technology Needs The technology needs involve a server that can support more than 200 user terminals, upgraded mainframe platform, current server operating systems, most recent server and mainframe hardware and the current security system. Activity 20b): Constrains in implementing the new technology The company might face the following constrains during the implementation of the new technology: High cost of the technology required to rollout the project including buying the operating systems, hardware and the server equipment. Limited time to upgrade the system which might lead to losses Training the staff and the users on the use of the new system will be expensive and time consuming Lack of enough trained personnel to rollout the new system Activity 22a): Existing Protection The existing protection technology is the online access control that has no provision for controlling access outside the online system Activity 23a): Net Protection and Detection Technologies Use of passwords and Authorizations Use of most current anti-virus software Intranet site on the LAN Digital certificates Intrusion Detection System Firewalls Access control processes Activity 24a): Technology Fixes The upgraded system will be fixed using the most recent technology to ensure that user access to data can be monitored while recording any suspicious events. Activity 25a): Results of the Evaluation Process After fixing the upgraded system, an evaluation was done by the internal auditor. The reviewing of the system, procedures, standards and guidelines was done. The results showed that there were no significant defects or significant weaknesses related to the security system. All these were confirmed by the external auditor (Schneier, 2000). Activity 26a): Impact of the results upon the security strategy and the implementation process The fixing of the new technology provided great benefits to MIC producing the following impacts: A central up to standards security department with procedure and guiding principles well documented. Default protection of data Password-controlled access to data Event monitoring to record and review suspicious and unusual activity Elimination downtime in production due to accidental testing parameters Activity 27a): Installation of the Approved Equipment I installed the new system when the day came. The new mainframe, server, operating systems and the security systems were put together to replace the old system. By 7.30 a.m. on Monday, the implementation room was ready for the rollout. It was an exciting moment as we easily handled 100 cases of questions from the users on that first day. The system ran well for the rest of the week and things went to normal with the new upgraded LAN in place. Activity 28a): Installation of Approved Equipment The approved equipment was installed including the Microsoft 2008 server environment among others. Activity 28b): Documentation of Approved Equipment The documentation of the approved equipment, procedures and guidelines was done for the record. Activity 29a): Issues to be presented from the Project There is a pending crisis where the users will be required to select and replace their new passwords within sixty days. This will involve all the users. Therefore, all the users will do this the same day meaning the volume of phone calls to the support department will be very high. This can be avoided by spreading out the expiration day hence the crisis is avoided. Activity 29b): Outcomes The outcome of this project was successful replacement of the old mainframe platform by the Upgraded LAN leading to an efficient balance between protection of customer and corporate information and ensuring that creativity and good ideas are effective (Ramana, 2003). Activity 29c): Learning Unit Summary The unit helped in coming up with a security system that relies on a cost effective collection of procedural, physical, integrated and automated controls. To have a cost effective system means putting the controls in place to combat the threats pose high risks while dealing with residual risks. Application of the controls has difficulties but doing it properly and consistently makes the security system becomes better and better. This unit has presented various examples in which major risks, vulnerabilities and threats to a security system which can rise from a lack of assurance or compliance to the set standards, procedures and guidelines. However, continued compliance, periodic audits, assessment of threats and examination of the efficacy of the system are essential to ensure that any system security programs. References Federal Information System Controls Audit Manual (GAO/AIMD-12.19.6, January 1999). Martin Sprouse, ed., Sabotage in the American Workplace: Anecdotes of Dissatisfaction, Mischief and Revenge (San Francisco, CA: Pressure Drop Press, 1992), p. 7. National Institute of Standards and Technology (NIST). Security Self-Assessment Guide for Information Technology Systems, NIST Special Publication 800-26. November 2001. http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf Ramana, S. V., “Securing the System Security” Network Magazine, January 2003. Read More