Security and Risk Management
Information Security Framework
Case Description
The organization is a medium-sized organization with a number of outlets spread across a large geographical area.
The organization’s IT architecture included:
1. IBM mainframe computers (located in two data centers 20 kilometers apart)
2. Storage area network (across the two data centers)
3. More than 300 servers (IBM, Compaq and Sun)
4. Four database management systems (DB2, Oracle, SQL Server and SAP)
5. Operating systems (AIX, Solaris, Windows )
6. More than 1,000 desktops
The security across the organization been neglected by past management, and was considered to be high risk.
The security environment included:
1. No dedicated resource only for physical security
2. No approved information security policies
3. No security awareness program
4. No deployment of security software and hardware to facilitate security violation logging, monitoring and reporting.
This situational analysis was captured by the organization’s internal audit department and supported by the external auditors. The audit committee reviewed its findings, and as a result the organization’s information technology (IT) department was directed to develop an action plan to immediately address the above deficiencies and implement an information security framework.
I NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 2, 2003
Implementing Enterprise Security:
A Case Study (Part 1)
By Ken Doughty, CISA, CBCP
This article is part one of a two-part series. The second
part will be published in the Journal volume 3, 2003.
Information is an essential asset for organizations because
it supports the day-to-day operations and facilitates decision
making by key stakeholders. The challenge facing organizations
is how to provide access to this asset without compromising its
integrity. This asset is received and distributed by the organiza-tion through various distribution channels, which are connected
by the telecommunications network. These channels include:
• E-mail
• Internet
• Applications (e.g., financial, logistics, retail, property and
construction, energy)
• DBMS (e.g., MS SQL Server, Oracle, DB2, Sybase)
• Operating systems (e.g., UNIX, Windows/NT 2000)
To minimize the risks that would compromise the integri-ty/security of the organization’s information channels and sys-tems requires the implementation of a security framework,
supported by processes (and the deployment of tools).
However, today’s dynamic business environment has resulted
in many organizations not providing sufficient resources to
maintain an environment that promotes and protects the orga-nization’s information assets.
Corporate governance now is forcing company boards and
executive management to recognize the strategic importance of
protecting information assets through effective risk manage-ment practices.
In a study of Internet hackings, issued by CERT
®
Coordination Center,
1
in the US alone during 1998 there were
3,734 reported incidents of hacking. This rose to 52,658
reported hackings during 2001. Unfortunately attacks not
only are being carried out by people who are foreign to the
organization, there also are many instances where current and
former employees have been able to cause business disruption
due to inadequate security practices.
Although hacking and viruses may be considered the more
immediate and greater threat to organizations at present,
security exposures in other areas often are not adequately
addressed. The education of staff in the control of confidential
information is a prime example. Proper security of a laptop
computer once it leaves the organization’s premises and is in
transit, use of personal computers (PCs) by family members
where infected data or illegal software may be downloaded, or
the sale and release of a company PC without properly erasing
company data are other examples.
The Information Security Breaches Survey 2002 (ISBS
2002) conducted by PricewaterhouseCoopers in the UK found
that:
• 44 percent of UK businesses have suffered at least one mali-cious security breach in the past year.
• The average cost of a serious security incident was UK
£30,000. Several businesses surveyed had security incidents
that cost them over UK £500,000.
• 20 percent of the large organizations where an incident
occurred took more than a week to get business operations
back to normal.
• 27 percent of respondents to the survey indicated that they
had a documented security policy.
• Only 15 percent of respondents indicated that they were
aware of the BS7799 Security Standard, which has been
adopted by the International Standards Organization
(ISO17799).
• Only 33 percent of UK web sites have software in place to
detect intrusion. Only 51 percent of transactional web sites
encrypt transactions passing over the Internet.
• 19 percent of the organizations that provide remote access
have implemented two-factor authentication.
This survey again indicates that security still is not being
treated by organizations as an investment in protecting their
information assets. Rather, for many organizations security is
considered an operational overhead and another impediment to
doing business.
Case Study
The Organization
The organization is a medium-sized organization with a
number of outlets spread across a large geographical area.
The security across the organization can best be described as
having been neglected by past management, and was considered
to be high risk. This situational analysis was captured by the
organization’s internal audit department and supported by the
external auditors.
The audit committee reviewed its findings, and as a result the
organization’s information technology (IT) department was
directed to develop an action plan to immediately address the
deficiencies and implement an information security framework.
Setting the Scene
Infor mation Tec hnology En vironment
The organization’s IT architecture included:
• IBM mainframe computers (located in two data centers 20
kilometers apart)
• IBM midrange computers
• Storage area network (across the two data centers)
• More than 300 servers (IBM, Compaq and Sun)
• Four database management systems (DB2, Oracle, SQL
Server and Lotus Notes)
• Operating systems (AIX, Solaris, NT/Windows 2000 and
OS/390)
• More than 1,000 desktops
Copyright © 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
I NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 2, 2003
Security En vironment
The security environment included:
• No dedicated resource/s for information security, only for
physical security
• No approved information security policies
• No security awareness program
• No deployment of security software and hardware to
facilitate security violation logging, monitoring and reporting
• No e-mail filtering
• No URL filtering
• No intrusion detection system (IDS)
• No automatic security patches/fixes update to servers and/or
desktops including notebook computers
IT Cultur e
An organization’s culture often is imprinted not only into
the management practices, i.e., policy, procedures and direc-tives, but also on its personnel, particularly if the personnel
involved in system development, project and operational man-agement have been long-term employees of the business.
Without realizing it, these personnel may execute their duties
and responsibilities in a form and manner that is consistent
with the corporate culture, rather than with generally accepted
industry practice.
The IT organizational culture had developed over many years
with IT as the strategic driver. This meant that the culture was
not customer-centric, and lacked the entrepreneurial and com-mercial acumen that is required to drive the business forward.
Security Strategy
A strategic and tactical approach was undertaken to address
security, to “lock down” the environment within a short time-line—six months (per the CEO directive).
The resources available for deployment were constrained by
the previous year’s budget allocation; therefore, a cost-effective
and value-added approach was required. Consideration was
given to fully implementing ISO17799. However, the estimated
cost was prohibitive and could not be implemented within the
timeframe. Therefore, the strategy was to implement the
critical elements of ISO17799 without the cost inhibitor and
within the timeline. The strategy also had to take into
consideration the need for the continued delivery of the
day-to-day IT services to the business.
Executive management approved the strategy before its exe-cution. This support was critical to facilitate implementation
and future ownership of security by line management.
Tactical Strate gy
A security project was established with a dedicated project
manager. The organization had recently implemented a corpo-rate project management methodology that was based upon the
Project Management Institute (www.pmi.org) guidelines. This
was the first IT project to utilize the project management
methodology. A tactical plan was developed to divide the
implementation of security in five phases:
• Organizational (i.e., policies and processes)
• Operating system
• Database management systems (DBMS)
• Telecommunications
• Access security—information assets
Organizational Secur ity
The first action taken was the appointment of a dedicated
resource for data security. The data security officer (DSO) ini-tially reported to the CIO until the core security measures were
implemented. Then, the position was transferred to an IT oper-ational executive.
One of the first tasks undertaken by the DSO was the colla-tion of all the security audit reports for the past two years and
consolidation of the issues into an access database (security
register). The security register was to become the depository of
all security issues and the DSO was accountable to add, follow
up on all outstanding actions, close out and report on the status
of security issues in a timely manner.
To ensure that security patches/fixes and alerts were identi-fied for action, the DSO subscribed to a number of security alert
services and other security-related web sites (see appendix 1 ).
In addition, a high-level gap analysis was undertaken to iden-tify and analyze the gap between current organization security
management practices and the ten security management criteria
listed in the ISO17799 standard (see appendix 2 ). The areas
identified that were considered to be deficient included:
• Security policies—The gap analysis immediately identified
that the current information security policies needed to be
revised. The existing policies had been placed on the organiza-tion’s intranet; however, the policies had not been approved by
the CEO or promoted throughout the organization so that all
staff knew their accountability regarding security.
The following policies were identified as having the
greatest impact and requiring immediate attention:
– Information security policy
– E-mail usage policy
– Internet usage policy
– Remote access policy
The DSO, with the support of experienced and senior IT
staff, revised the previously mentioned policies taking into
consideration security policies of best practice organizations
and ISO17799.
The newly revised security policies were submitted to the
IT steering committee, which was established by the CIO
for review and endorsement before final approval by the
CEO. These revised and approved policies were included in
the planned security awareness program.
Operating
System Security
Telecommunication
Security
DBMS
Security
Access Security—
Information
Assets
Organizational
Security
Security Tactical Framework
I NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 2, 2003
• Security Standards—The gap analysis identified that there
were no security standards for hardware and software con-figuration. Upon further investigation it was found that:
– There was no configuration database to assist in the ongo-ing operational support of the infrastructure.
– Little or no documentation of current configuration set-tings existed.
– The existing processes were unable to completely and
accurately identify, monitor and report upon IT assets.
– The asset records were not up-to-date.
An action plan (included in the security register) was devel-oped to address the deficiencies identified by the gap analysis.
At this time, the organization was implementing a systems
management software product to assist in providing IT opera-tional support to its network. As part of this implementation
the project scope was expanded to include the development of
a configuration database that was compliant with the
Information Technology Infrastructure Library (ITIL)
2
model
(see appendix 1 ).
The implementation of the system management software
was the catalyst to implement ITIL for:
– Incident management
– Problem management
– Change management
Following the implementation process set out in this article,
the remainder of the ITIL model progressively was to be
implemented over the subsequent eighteen months.
• IT assets—An IT asset audit was undertaken to identify all
of the assets and to determine the current security configura-tion. The audit found:
– 47 percent more servers than asset records indicated
– No record of routers, hubs and other communication
devices
– 300 percent more desktops than asset records indicated
– A number of storage rooms filled with retired hardware
(e.g., PII PCs, printers, various hardware components,
software). In one storage room, three large top-end
Compaq servers were identified still in their packing cases
unopened. It appears that they were purchased for a pro-ject, that was later cancelled.
– Varying setup configurations for network devices (e.g.,
routers)
– Varying configurations across the range of servers, desk-tops and notebook computers (i.e., no standard operating
environment or SOE)
The action plan to address the deficiencies (included in
security register) identified by the IT asset audit included the
establishment of a working party. The objectives of the
working party were to:
1. Develop the configuration standards based upon best
practice for hardware and installed software across the
three towers:
– Mainframe
– Midrange
– Server/desktop
Following detailed testing (sociability) to ensure that
there were no conflicts that would impact the delivery of
services to the business, the configuration standards were
deployed across the three towers. The configuration data-base established within system management software was
updated to reflect the deployed configuration settings.
Change management processes were enhanced to ensure
that any changes in configuration were updated in the
configuration database.
2. Reconcile the differences between the IT asset audit
results and the organization’s financial records.
Reconciliation of the IT asset audit results and the organi-zation’s financial records found a large discrepancy. The
majority of the
discrepancy was due to the lack of processes to update
the financial records for disposal of IT assets.
3. Develop processes to ensure that IT asset records were
maintained up-to-date by the utilization of the system
management software (including an interface to the
financial system). Processes (workflow) were developed
to automate the maintenance of the IT asset records (from
purchasing through to disposal). This was supported by
a rolling stocktake of IT assets by the desktop IT support
team.
• Security processes—For the existing security processes, the
gap analysis identified a number of weaknesses including:
– A lack of communication (coordination) between the IT
department sections
– Little or no documentation of processes
– Heavy reliance on individuals to notify the IT department
to remove employees and/or contractors from the various
systems (including remote access) upon cessation of
employment or contract
– No regular follow-up to ensure that users with remote
access still required this facility
– No regular verification with application owners that users’
access privileges were appropriate for their role and
responsibilities
– No regular update of the latest security patches/fixes to
desktops and notebook computers, including computers
provided by the organization to users at their homes
An action plan was developed to address the deficiencies
(included in security register) identified by the gap analysis.
One of the critical tasks to address the security weaknesses
was to identify and select an automated tool that would assist
in the download of security fixes/patches to the server/desktop
platform. After detailed evaluation a software product was
selected to automate the download of security fixes/patches to
the server/desktop platform operating systems.
• Security awareness—For security awareness the gap analysis
identified that there was:
– No regular program to keep users informed of their
accountability for their user IDs, passwords, etc.
– Little or no dissemination of information on security poli-cy, standards, guidelines or processes
– No security information included as part of the employee/
contractor induction program to the organization or when
user IDs were issued
A security awareness program was developed with the
assistance of an external consultancy firm. The security
awareness program included a number of initiatives:
– Development of a security intranet site:
? The intranet site included links to the security policies,
standards, guidelines and processes.
– How-to series:
? How to choose a good password
? How to virus scan
? How to work at home securely
? How to avoid careless talk
? How to protect a laptop
? How to be secure at work
– Design and publication of a poster series that was attached
to notice boards throughout the organization. The posters
I NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 2, 2003
were changed on a regular basis (every three months) to
keep the security theme fresh.
– Development and presentation of PowerPoint slides at a
series of security awareness workshops by the data security
officer
– Targeting executive and line managers to attend the work-shops to receive security awareness packs
– Preparation of security awareness packs to be issued at the
security awareness workshops. The packs included:
? Copy of the security policies
? Copy of how-to series
? Mouse pads with a security theme (see appendix 2 )
? Instructions for executive and line managers:
– The instructions required the security policies to be
distributed to each staff/contractor under their
supervision.
– The security policies were to be read by all staff/
contractors and their signatures obtained (on a listing
provided by the organization’s human resources
department) acknowledging that they had read and
understood their obligations and accountabilities in
terms of the policy.
An evaluation form was prepared to provide a feedback
mechanism to measure the effectiveness of the workshop
presentations. Further, an analysis of the number of hits to the
security intranet was performed to assist in determining the
success of the program. Based on this information, additional
strategies were developed to continue the promotion of security
awareness within the organization—the “keeping alive” program.
Part 1—Conclusion
Corporate governance is forcing organizations’ executive
management to address enterprise security. The challenge for
organizations is how to implement enterprise security without
compromising integrity while providing assurance to executive
management. In part 2 of this article, which will be issued in
the Journalvolume 3 2003, the case study will pick up with an
analysis of how this organization implemented enterprise
security, particularly:
• Operating system security
• Database management system security (DBMS)
• Telecommunications security
• Access security—information assets
Domestic (American) operations
For this Assignment, you are to continue using the same Fortune 500 company you selected in Unit 4 (ExxonMobil was my Fortune 500 Company). The focus here is on its domestic (American) operations, with global issues left for Unit 6. Begin by reading through the material on economic indicators in the Webliography. Select 6-10 indicators that are of particular relevance to your firm and explain why. Next, outline a strategy for how the firm should respond to the information provided by the economic indicators with the goal of maximizing revenues in the years ahead.
The Assignment is to be a minimum of five pages long (title pages, bibliographies, etc., do not count) and in APA format. A good variety of objective, high quality, current sources need to be used.