This is the final phase of the case study assignments. The primary purpose of this project is for you to demonstrate your understanding of the principles covered in this course. You will create a minimum 12 PowerPoint slides to summarize the policy review conducted and your recommendations for the next steps the merged company should take to protect its data and information assets. The cover, summary/conclusion and reference slides are not part of the slide count. It will also include a minimum of 5 references. The grading rubric provides additional information about content and formatting of your presentation. Each policy review and recommendations presentation should address the following: Current policy: Discuss the current (as per the case study) IT cybersecurity policy. New technology: Describe the functionality of the new technology selected for implementation and the challenges associated with the current cybersecurity policy. Identify cybersecurity vulnerabilities that could be introduced by the new technology that might not be mitigated by technological configuration management. Recommendations: Discuss revisions and modifications that must be made to the current IT cybersecurity policy to ensure that the new technology does not compromise the organizations cybersecurity posture. Address the inter- and intra-organization leadership, managerial, and policy challenges and effects associated with the recommendations. ***Use infromation from the attached projects and the case study as well***RUBRIC
PoliciesLevel 5Level 4Level 3Level 2Level 1Current Policy10 pointsClearly describes the current IT cyber security policy.8 pointsBasically describes the current IT cyber security policy.6 pointsWeakly describes the current IT cyber security policy.3 pointsLittle description of the current IT cyber security policy. (Or, inappropriate or excessive copying from other authors work.)0 pointsNo description of the current IT cyber security policy.Rationale10 pointsID at least 2 IT security policies to implement based upon the case study. Clearly discusses the rationale for selection of these policies.8 pointsID at least 2 IT security policies to implement based upon the case study. Basically discusses the rationale for selection of these policies.6 pointsID at least one (1) IT security policy to implement based upon the case study. Weakly discusses the rationale for selection of the policy.3 pointsMay ID at least one (1) IT security policy to implement based upon the case study. Little discussion of the rationale for selection of the policy. (Or, inappropriate or excessive copying from other authors work.)0 pointsNo policies identified or discussion of the rationale for the IT security policies.New TechnologyLevel 5Level 4Level 3Level 2Level 1Functionality of Technology10 pointsClearly describes functionality of new technology selected for implementation. 8 pointsBasically describes functionality of new technology selected for implementation.6 pointsWeakly describes functionality of new technology selected for implementation.3 pointsLittle description of functionality of new technology selected for implementation. (Or, inappropriate or excessive copying from other authors work.)0 pointsNo description of functionality of new technology selected for implementation.Challenges10 pointsClearly describes challenges associated with the current cyber security policy based on the new technology.8 pointsBasically describes challenges associated with the current cyber security policy based on the new technology.6 pointsWeakly describes challenges associated with the current cyber security policy based on the new technology.3 pointsLittle description of challenges associated with the current cyber security policy based on the new technology. (Or, inappropriate or excessive copying from other authors work.)0 pointsNo description of challenges associated with the current cyber security policy based on the new technology.Cybersecurity Vulnerabilities10 pointsClearly explains the cyber security vulnerabilities that could be introduced by the new technology that may not be mitigated by technological configuration management. Must address two (2) or more IT policies.8 pointsBasically explains the cyber security vulnerabilities that could be introduced by the new technology that may not be mitigated by technological configuration management. Must address two (2) or more IT policies.6 pointsWeakly explains the cyber security vulnerabilities that could be introduced by the new technology that may not be mitigated by technological configuration management. Must address at least one (1) IT policy.3 pointsLittle explanation on the cyber security vulnerabilities that could be introduced by the new technology that may not be mitigated by technological configuration management. May address only one (1) policy. (Or, inappropriate or excessive copying from other authors work.)0 pointsNo explanation on the cyber security vulnerabilities that could be introduced by the new technology that may not be mitigated by technological configuration management. Doesn’t address any policies.RecommendationsLevel 5Level 4Level 3Level 2Level 1Revisions and Modifications10 pointsClearly discusses revision and modification to each IT cyber security policy to ensure new technology doesn’t compromise organization cyber security posture. Must address two (2) or more IT policies.8 pointsBasically discusses revision and modification to each IT cyber security policy to ensure new technology doesn’t compromise organization cyber security posture. Must address two (2) or more IT security policies.6 pointsWeakly discusses revision and modification to each IT cyber security policy to ensure new technology doesn’t compromise organization cyber security posture. Must address at least one (1) IT policy.3 pointsLittle discussion on revision and modification to each IT cyber security policy to ensure new technology doesn’t compromise organization cyber security posture. May address only one (1) policy. (Or, inappropriate or excessive copying from other authors work.)0 pointsDoesn’t discuss revision and modification any IT cyber security policy to ensure new technology doesn’t compromise organization cyber security posture. Doesn’t address any policies.Challenges and Effects10 pointsClearly addresses the inter- and intra-organization leadership, managerial and policy challenges and effects associated with the new policies.8 pointsBasically addresses the inter- and intra-organization leadership, managerial and policy challenges and effects associated with the new policies.6 pointsWeakly addresses the inter- and intra-organization leadership, managerial and policy challenges and effects associated with the new policies.3 pointsLittle address of the inter- and intra-organization leadership, managerial and policy challenges and effects associated with the new policies. (Or, inappropriate or excessive copying from other authors work.)0 pointsDoesn’t address the inter- and intra-organization leadership, managerial and policy challenges and effects associated with the new policies.Communication Challenges10 pointsClearly discusses challenges in communicating new policies across the organization.8 pointsBasically discusses challenges in communicating new policies across the organization.6 pointsWeakly discusses challenges in communicating new policies across the organization.3 pointsLittle discussion of the challenges in communicating new policies across the organization. (Or, inappropriate or excessive copying from other authors work.)0 pointsNo discussion of the challenges in communicating new policies across the organization.Finds and Applies KnowledgeLevel 5Level 4Level 3Level 2Level 1Use of Authoritative Sources5 pointsUsed at least 5 authoritative or scholarly sources in paper. One must be NIST SP 800-53. No APA style errors in sources.4 pointsUsed at least 3 authoritative or scholarly sources in paper. One must be NIST SP 800-53. No more than 1 APA errors in sources.2 pointsUsed at least 2 authoritative or scholarly sources in paper. One must be NIST SP 800-53. No more than 2 APA errors in sources.1 pointMay have used 1 authoritative or scholarly source in paper. May use NIST SP 800-53. May not have used APA style formatting.0 pointsNo authoritative or scholarly sources used in paper. NIST SP 800-53 not mentioned.Citation of Sources5 pointsAll sources cited. No errors in citing material in paper.4 pointsAll but 1 source cited. Had no more than 5 citing errors in paper. 2 pointsAll but 2 sources cited. Had no more than 10 citing errors in paper.1 pointAll but 3 sources cited. Had less than 15 APA citing errors in paper.0 pointsNo sources cited or had more than 15 APA citing errors in paper.Organization, Execution and AppearanceLevel 5Level 4Level 3Level 2Level 1Formatting8 pointsHas separate title slide with title, student name, class and date. All slides have titles; not wordy and is easy to read; no spelling or grammar errors; and no distracting material.6 pointsBasic title slide with title, student name, class and date. Slides have less than 5 errors to include: missing titles, wordy; hard to read slides; spelling or grammar errors; distracting material.4 pointsWeak title slide with title, student name, class and date. Slides have less than 10 errors to include: missing titles, wordy; hard to read slides; spelling or grammar errors; distracting material.2 pointsMissing title slide with title, student name, class and date. Slides have less than 15 errors to include: missing titles, wordy; hard to read slides; spelling or grammar errors; distracting material.0 pointsMissing title slide with title, student name, class and date. Slides have more than 15 errors to include: missing titles, wordy; hard to read slides; spelling or grammar errors; distracting material.Grammar and Punctuation2 pointsProvides at least 12 PowerPoint Slides1 pointProvides at least 10 PowerPoint Slides0 pointsProvides less than 10 PowerPoint slides0 pointsProvides less than 10 PowerPoint slides0 pointsProvides less than 10 PowerPoint slidesOverall ScoreLevel 514 or moreLevel 411 or moreLevel 38 or moreLevel 25 or moreLevel 10 or moreJournal of Information Technology Education:
Innovations in Practice
Volume 11, 2012
Disaster at a University:
A Case Study in Information Security
Ramakrishna Ayyagari and Jonathan Tyks
University of Massachusetts-Boston, Boston, MA, USA
r.ayyagari@umb.edu; downtime6@gmail.co
Executive Summary
Security and disaster training is identified as a top Information Technology (IT) required skill that
needs to be taught in Information Systems (IS) curriculums. Accordingly, information security
and privacy have become core concepts in information system education. Providing IT security
on a shoestring budget is always difficult and many small universities are challenged with balancing cost and effectiveness. Many colleges and universities have additional security challenges,
such as relaxed working environments, less formalized policies and procedures, and employees
that “wear many hats.” Therefore, it is not surprising to note that majority of data breaches since
2005 occur in educational settings. So, it is imperative that this segment (i.e., educational settings) be represented in classroom discussions to prepare future employees.
To this end, we present a case that addresses a data breach at a university caused by lax security
policies and includes an element of social engineering. The data breach at the university resulted
in a number of students’ losing personally identifiable information. The resulting aftermath
placed a significant financial burden on the university as it was not prepared to handle an information security disaster. This case can be used as a pedagogical tool as it uniquely captured a data
breach in a university setting. Readers of the case will identify that at the management level the
case raised a number of issues regarding the security culture at the university and management of
security function. The case also highlights the issues of lack of training and access control.
Keywords: Information Security, Disaster Recovery, Data Breach.
Introduction
Security and disaster training is identified as the top IT required skill that needs to be taught in IS
curriculums (Kim, Hsu, & Stern, 2006). Accordingly, information security and privacy have become core concepts in information system education (Hentea, Dhillon, & Dhillon, 2006; Kroenke, 2012; Laudon & Laudon, 2010). Instructors have several approaches to teach security and
privacy concepts. One can take a more traditional lecture based approach or a more hands-on approach that utilizes labs, case studies, etc. (Gregg, 2008). It is important to note that advances in
pedagogical research place emphasis on
Material published as part of this publication, either on-line or
hands-on or active learning. Imparting
in print, is copyrighted by the Informing Science Institute.
knowledge based solely on lectures is
Permission to make digital or paper copy of part or all of these
criticized as there is less opportunity for
works for personal or classroom use is granted without fee
students to be actively engaged (Bok,
provided that the copies are not made or distributed for profit
or commercial advantage AND that copies 1) bear this notice
1986).
in full and 2) give the full citation on the first page. It is permissible to abstract these works so long as credit is given. To
copy in all other cases or to republish or to post on a server or
to redistribute to lists requires specific permission and payment
of a fee. Contact Publisher@InformingScience.org to request
redistribution permission.
Accordingly, active learning has gained
prominence among educators and researchers (Meyers & Jones, 1993). Students are eager and seek opportunities to
Editor: Uolevi Nikula
Information Security Disaster
apply their knowledge to simulate realistic situations (Auster & Wylie, 2006). Research shows
that students find learning achieved through active participation to be more meaningful and valuable (Mitchell, 2004; Pariseau & Kezim, 2007; Wingfield & Black, 2005). One of the ways in
which students can be engaged is through case studies (Bradford & Peck, 1997; Shapiro, 1984;
Pariseau & Kezim, 2007). Case studies provide the students a unique opportunity to assume the
roles of participants in the cases (Richards, Gorman, Scherer, & Landel, 1995). This provides an
opportunity for students to reflect on their learning and apply it to crystallize their thoughts and
arguments. Students are put into situations that can be ambiguous and force students to make decisions dealing with uncertainties (Richards et al., 1995). In fact, a recent study about learning
preferences indicates that students place high value for case studies (Goorha & Mohan, 2009).
Raising awareness regarding security issues faced by educational institutions is important because
the majority of reported breaches occur in educational settings. An analysis of all the data breaches from 2005 indicates that 21\% of breaches occur in academic settings resulting in more than 8
million individual records being compromised (Privacy Rights Clearinghouse, 2011). It should be
noted that the ‘education’ industry has the most number of breaches compared to any other industry category including medical, businesses, and government agencies (Privacy Rights Clearinghouse, 2011). Further, fundamental differences exist between academic and business settings. It is
common practice in businesses to protect trade secrets, intellectual property, etc. However, educational settings are based on values of information sharing. As Qayoumi and Woody (2005, page
8) point out, “…the concept of information security runs counter to the open culture of information sharing – a deeply held value in academe.” Therefore, it is important to raise awareness about
the severity of security issues facing university settings. However, a brief review of published
cases in prominent outlets reveals that typical cases are geared towards business settings as presented below.
Literature Review of Security Case Studies
Most of the prominent security case studies focus on how businesses deal with data breaches or
privacy issues. For example, McNulty (2007) discusses the impact of a data breach on customers
in a retail electronics setting. The case deals with issues of the best way to communicate the
breach with customers and, overall, forces the participants to consider disaster response strategy
before a disaster occurs. Similarly, Haggerty and Chandrasekhar (2008) highlight the events leading to and the fallout due to a data breach at TJX. These cases highlight the issues of enormous
amount of data that retailers generate and the onus on firms to protect the sensitive information.
Eisenmann’s (2009) case addresses the severity of growing dependence on technology in the
medical industry. The case setting is a hospital (medical industry) where the access to medical
records is denied, putting numerous lives at risk. As the hackers try to extort money, the case
raises ethical and legal questions and forces participants to make tough decisions.
Coutu (2007) raises ethical questions about the growing issue of lack of privacy in the networked
world. The case addresses whether the information found on Internet about a person can become
a burden in advancing the person’s careers. Ethical and privacy questions related to confidentiality of data and data reuse in business settings are also raised (Davenport & Harris, 2007; Fusaro,
2004; Schenberger & Mark, 2001). Davenport and Harris (2007) present a case that deals with the
issue of data reuse. It is a common practice for businesses to share customer data with the businesses’ affiliates. The case in question asks at what stage is the sharing of information detrimental
to customers? In a similar vein, Fusaro’s (2004) case asks at what stage do the data collected for
customization cross the boundary and become invasion of privacy? DoubleClick’s profiling issues and breach of privacy are also well known (Schenberger & Mark, 2001). Complaints filed
with the Federal Trade Commission had a severe impact on the shares of DoubleClick and led to
the development of privacy policies (Schenberger & Mark, 2001).
86
Ayyagari & Tyks
As this review points out, security case studies generally focus on business settings even though
educational institutions experience a fair share of security incidents. We address this gap by first
presenting a case study of a security breach at a university. We conclude by providing discussion
points and the lessons learned from this case study.
Disaster at a University – A Case Study
Turn Key University (TKU) is a medium sized public university located in Idaho. The institution
is situated on a beautiful 25 acre campus, just north of a major city. The University consists of
over 6,000 students mostly from the surrounding region. The institution is a liberal arts college
that offers over 30 undergraduate majors and a dozen graduate degrees. The school has a reputation for producing quality graduates for the surrounding community. The University is a major
employer in the area, providing jobs for over 900 employees.
Organization Hierarchy
The institution was organized as a typical university bureaucracy, with the President’s office
overseeing the Academic Affairs, Administrative Support Services, Human Resources, Finance,
and Information Technology divisions as shown in Figure 1. The IT, Finance, and Administrative
Support divisions are the primary focus of this case.
President’s
Office
Academic
Affairs
Administrative
Support services
Finance
Human Resources
Information
Technology
Figure 1: TKU’s Organizational Hierarchy
As shown in Figure 2, the Information Technology division consisted of six departments — Institutional Projects, Media Services, Teaching Support, Computing Systems, Web Services, and
Network & Telecom. Each of these departments was managed by a Director who reported to the
Chief Information Officer (CIO). The Information Technology Division managed all aspects of
computing on the University campus. The IT division employed over 70 permanent members and
several temporary/student employees. The IT division required a large server farm to manage a
transaction management system and other systems. TKU centralized all server functions in the
Computing Systems department.
87
Information Security Disaster
CIO
Director
Institutional
Projects
Director
Computing
Systems
Director
Media
Services
Director
Web Services
Director
Teaching
Support
Director
Network &
Telecom.
Figure 2: IT Division Hierarchy
Administrative Support Services supported the ancillary services offered by the college. Among
other things, this division managed relationships between the on-campus and off-campus vendors.
On-campus vendors include the post office, GoodFood (the student meal plan provider), CollegeBooks (the bookstore operator), and FastSnack (the snack machine provider). The snack machines were an important part of students’ life as many students relied on late night RedBull®
runs to make it through a last minute cram session. Off-campus vendors include restaurants, tanning parlors, and gas stations. Compared to the IT division, Administrative Support Services was
relatively small, with approximately one-fifth the numbers of personnel in the IT division.
The Finance Division was responsible for managing and reporting the financial state of the University. The division was made up of five departments: Financial Affairs, the Budget Office, Accounts Receivable, Accounts Payable, and Student Services. All financial information reporting
was overseen by the Financial Affairs department. Overall, the Finance division employed 30
permanent employees and several part-time members on a need basis.
System Description
Since 2000, TKU used a transaction management system for student meal plans. There were three
different meal plan tiers: a lower volume plan that was aimed towards commuters, a middle volume plan that was targeted for full time students who leave on the weekends, and a high volume
plan that was designed for students who eat all meals on campus. Out of the three plans, the middle volume plan was the most popular among students and responsible for the majority share of
the transactions.
In addition to the meal plans, the transaction management system handled virtual dollars. Virtual
dollars can be thought of as a prepaid credit card. At the beginning of the semester students were
given a balance based on their meal plan, and students drew down the balance by purchasing
items from vendors. Students and parents were also able to add additional funds on the card
through an online portal. Students paid for items using virtual dollars at a variety of vendors –
they spent it on books from the bookstore, stamps from the post office, drinks from the snack ma-
88
Ayyagari & Tyks
chines, and on food from neighborhood restaurants. Virtual dollars were a hit with students as
they enjoyed having the freedom and convenience to pick what they wanted, when they wanted.
The transaction management system was more than a way for students to purchase food; it was
also a profit center for the college. From a fiscal perspective, the system was able to generate annual profits of $600,000 for TKU. Most of the revenues were from commissions on sales to vendors. Due to corporate cultural issues (as discussed below), the control of the system spanned
across the IT, Administrative Support Services, and Finance divisions, although none of the divisions received commissions. All the money generated from the system went into a central fund
managed by the President’s Office.
History of the System: Reflection of Corporate Culture
The Transaction Management System (TMS) had been in place for over ten years at the writing
of this case and within that time frame it had changed hands multiple times. Initially the system
was handled by the Computing Systems department in the Information Technology Division. The
typical system administrator learned about the system on-the-job in an informal fashion, and there
was a lack of process or steps that could be reproduced when system administrators changed. Further, when the system was implemented, security was an afterthought and security responsibilities
played a minor role in system administrators’ job duties. As a result, the current state of the system was that (1) there was a lack of formal process in managing the system and (2) the system
was never secured. At the time of writing, the system was managed by two administrators – Gary
and Tom from the Computing Systems department. They had been in their roles for a little over a
year.
Although the TMS system depended on multiple divisions (IT, Finance, etc.,) for effective operation, the incentives in place were conducive to reinforcing the functional boundaries among various divisions (see Figure 1), thus resulting in friction among divisions. As the TMS grew in stature, the logical solution to reduce the political tensions among divisions was to split the system
responsibilities among the divisions. In this arrangement, IT continued to manage the servers with
Gary as the primary administrator and Tom as the backup. The Finance division took over the
administration and user access portion of the system. The responsibilities for system administrator fell on Don who had some technical background and was seen as a ‘tech geek’ in the Finance
division. At the time of this case study, Don had been in the system administrator role for three
months. When Don inherited the system, he received no formal system administration or security
training and found that there were no formal policies or business rules in place. As he learned the
system, he realized it housed a large amount of personally identifiable information (PII). There
were student social security numbers (which acted as a students’ primary ID in the university system), addresses, phone numbers, birthdates and meal plan information.
The Security Structure: Technical Safeguards
The security structure was handled in two different ways. The first was by ensuring only authorized people had access to the system. The second was by viewing events in the log files. The system was set up in a typical hierarchical structure, comparable to Windows Active Directory.
There were user accounts that branched into user groups. People could access the system by logging in with a username and password, similar to how a person would access their home computer. When a user needed an account, the system administrator would assign a username and
password. Once a user had a username, the system administrator placed the user in the appropriate user group, which determined what functions the user could perform. The administrator group
had full permissions and consequently had free reign of the system. Among other things, the administrator could run reports, change meal plan settings, upload data and export data from the
system.
89
Information Security Disaster
The next method of managing system security was through the log files. The transaction management system created system logs whenever an event occurred. This feature was very useful for
showing what happened within a system. The logging feature showed the time, the user group,
and the event that occurred. While the logs were useful, the primary drawback was that they only
showed what group created an event. As a result, events could only be seen at the group level.
This means if a user logged into the system and made a change and was a member of the administrator group, the log would only show that someone in that group made a change. It didn’t show
which user made the change.
The Issue: Data Breach
Early one morning, Don was ushered into a closed door meeting with the Chief Finance Officer,
the CIO, and an external security auditor he hadn’t met before. In the meeting Don learned that
large amount of data, including the PII, was exported from the system. The previous day Gary
was going through the logs to see if the patch he applied worked correctly, and he noticed that
someone in the administrator group had exported a large amount of data at an odd time. Gary reasoned that no one should be accessing the system at 2am, and he was concerned because a large
amount of data was exported. After bringing up the issue to management, it was decided that the
Finance division would investigate the issue. Therefore, the responsibility to figure out exactly
what happened fell on Don. He was asked to work with an auditor to find out exactly what happened. Don left the meeting feeling overwhelmed and disconcerted; he knew nothing about security practices and he wasn’t happy about working with the auditor. He had recently inherited the
system and didn’t know much about it. He did know that he had to find the source of the leak before more student information was lost and he knew his job might be on the line.
The Investigation: Lax Security Policies and Culture
The auditor decided to interview the users of each business unit. At a basic level, he wanted to
figure out if the leak was an internal job or if TKU had fallen victim to a hacker. So, he wanted to
see the different entry points that a potential hacker could get access to the system. Further, the
auditor felt it necessary to check the user account structure, the business rules, and department
norms. By doing this, the auditor felt confident that he could determine which user in the administrator group was responsible for the data leak, if it was an internal job. Throughout the investigation, Don was going to support the auditor and would provide the required information.
The auditor and Don started the audit process by going through the system. They checked the user accounts and found multiple points where a hacker could have entered the system. They found
over 50 orphan accounts, which are accounts that had been set up but never used. When an account is set up, the policy is for the system administrator to provide the same generic password.
Once a user logs into the system, they are prompted to enter a new password. Since none of these
accounts were used, all of the accounts had the same password. A hacker could have easily
cracked the generic password and gotten access to the system.
Another area of concern was with password complexity. The system didn’t require users to have
strong passwords. Passwords could be as short as three characters long and didn’t need to include
numbers or special characters. The passwords could be kept forever and most had never been
changed. With the current sophisticated password cracking programs available on the Internet,
hackers could break into the system in seconds. This seemed very likely as figuring out the system usernames was very easy. The usernames were based on the name of the user. The first letter
of the username was the first letter of the person’s first name. The last part of the username was
the person’s last name. For example, Gary Tolman’s username was gtolman. This type of username assignment is very common, but it can also pose a threat. Each employee’s name was listed
on the TKU website, so a hacker could easily find a username.
90
Ayyagari & Tyks
Lastly, the system was accessed by a variety of users. They were spread out between Information
Technology, Finance, and the Administrative Support Divisions, so finding the exact users would
be difficult. Anyone in these divisions could be the source of the leak. Don and the auditor didn’t
know how they were going to trace the culprit, but they knew they had a daunting task. They
started off by interviewing people in the three divisions. The Administrative Support Services
division used the transaction system to run reports, so the users only had permissions to run reports. Don and the auditor found that in addition to the approved users, more people accessed the
system. Employees routinely gave out their login information to student workers and temporary
employees to run reports when they were busy or on vacation. The employees shared this login
information on Post-it® notes, over the phone, and in email. The department did not have rules
explaining proper procedures, so employees thought these practices were acceptable and the
norm.
Next, Don and the auditor interviewed people in the IT Division. They focused on the Computing
Systems department, which handles the technical end of the transaction management system. This
includes duties such as managing the server, setting up off-campus merchants, maintaining oncampus connections, and troubleshooting networking issues. The transaction management system
from an IT perspective is a server with a simple front end that users log into and a database that
holds the information. Don and the auditor found that there were no formalized policies or procedures detailing how to complete tasks. There were no business rules and the department lacked
consistency in its approach to managing the system. In this department, three administrators had
full administrative rights, so they had full access to the system, allowing them to add user permissions or initiate data exports. During the interview, Don and the auditor also realized that in the
past when IT handled information security employees routinely gave out initial passwords in
email or on the phone. There was only one clear written policy and that was broken routinely.
The policy stipulated the Finance division was to extract the required data to run reports from the
system. However, the IT division continued to extract data for the majority of users. People preferred IT to extract the data because they were quicker than Finance. Further, the auditor was informed that there was a major upgrade to the campus infrastructure recently, and during that time
outside contractors were on-site as technical advisors. The contractors were supposed to have
given limited access, but by this point, the auditor was not convinced if this exactly happened.
The following day, Don and the auditor looked at the Finance division. The Finance division
handled the system administration and the access permissions for the system. The department also
oversaw the functional components, such as crediting accounts if a student was charged incorrectly for an item. The system was also used to run business intelligence reports. Don was the
primary administrator for the system, so he had complete access to it. He was able to perform
functions such as setting up user accounts and exporting data. It was his responsibility to ensure
that correct people had access to the system.
At this point, Don took a back seat and the auditor interviewed him. The auditor realized that Don
didn’t have much experience managing the system. Further, he also gave out passwords to users
through email or on the phone. The auditor also found that Don didn’t require users to have
strong passwords. Next, the auditor interviewed the accountants that used the system. The accountants had only limited access to the system. They could post transactions and transfer funds,
but nothing to the extent of exporting data.
The Outcome: Victim of Social Engineering
Throughout the process, the auditor found countless examples of lax information security
throughout the organization. There was a lack of a coordinated security policy, and the policies in
place were not being followed. While reviewing the notes, the auditor noticed that a contractor
requested the TMS server address over the phone. Further follow up revealed that a system ad-
91
Information Security Disaster
ministrator gave out the server address to a contractor because the contractors were in the middle
of upgrading servers. The administrator also mentioned that the contractor requested the password, but the administrator didn’t feel comfortable sharing the password on the phone and asked
the contractor to stop by the office – but the contractor was a no show. From the description of
the events, the auditor felt it was a social engineering attempt. Social engineering is when a hacker attempts to gain access to sensitive information by tricking a person into giving it to them. The
immediate recommendation of the auditor was to focus on the contractor’s activity in the organization.
Over the next few weeks the story unfolded and all the pieces of the puzzle were put together. It
was eventually proven that the contractor stole the information. The contractor was hired to oversee the upgrade of servers on the storage network. While doing this, she learned about the transaction management system. She knew PII could be sold on the black market and thought the lax
security at TKU would enable her to get away with stealing data without any repercussions. Her
only obstacle was access. Since she only had access to the storage network, she needed a way to
get access to the transaction management server. That’s when she called the system administrator
and got the IP address and tried to get his login credentials. Once she got the IP address, she was
able to utilize the free tools available on the Internet to scan the system and get the username and
password with administrative access. It took her only a matter of minutes to get this information.
The password was only three characters long and didn’t use any numbers or special characters.
With her new administrative permissions, she was able to export the PII.
The Aftermath
TKU was very lucky with the outcome of the data breach. Only five hundred students had their
information compromised. While any loss of PII is unfortunate, high profile data breaches, such
as the ones at TJX, show how losing large amounts of data can be very costly to an institution.
Like many businesses, the University attempted to keep the data breach quiet, but the breach information was eventually released. The fear of student backlash and the need to be compliant
with privacy breach laws forced the university to inform the campus community of the breach.
Students were initially very angry and felt as though they could not trust the university with their
private data. To help improve student morale, the president offered reduced tuition for a semester
and a year of paid credit monitoring service to victims of data breach. The University’s generous
response helped to calm the protests, but it came at a price. TKU estimated that the tangible costs
associated with the breach amounted to over $600,000 dollars. However, TKU will never know
how the breach affected the university’s reputation.
Discussion
This case is presented in an educational setting and raises numerous issues that deserve attention.
People, Process and Technology are identified as essential pillars of good security practices
(Merkow & Breithaupt, 2005). This case can be analyzed from this perspective. The main lessons
learned from this case are presented in Table 1. The table highlights the security themes supported by literature and the suggested improvements.
One of the main recurring themes in the case is that of lax security policies. Strong leadership is
needed to develop a security program that changes the security culture in the organization so that
security behaviors become second nature to employees (Thomson, von Solms, & Louw, 2006).
Although developing a security program can be challenging, the biggest challenge faced by management is justifying the cost. However, this shouldn’t act as a deterrent as, with proper planning,
the program can be developed on a shoestring budget (Sridhar & Bhasker, 2003). TKU can significantly improve the security culture and strengthen its security efforts by appointing a chief
security officer (Lowendahl, Zastrocky, & Harris,2006). Having a dedicated figurehead for secu-
92
Ayyagari & Tyks
rity can also alleviate some of the tensions between departments with respect to dealing with security incidents. Throughout this process, management should realize that ‘complete security’ is a
myth and the university needs to be constantly prepared (Austin & Darby, 2003).
Table 1: Lessons learned
Security Theme
Top Management Support
Access Control
Practices Supported from
Literature
Practices Supported from
Literature
Top management support is
necessary to dedicate resources, create policies, and
establish culture & norms
(Lowendahl et al., 2006;
Panko, 2009; Thomson et al.,
2006).
The lack of security figurehead
is a major drawback. The university should consider appointing a chief security officer.
Strong access control (password) policies need to be implemented (Merkow &
Breithaupt, 2005; Scarfone &
Souppaya, 2009). Access
should be based on the principle of least privilege to accomplish an individual’s task.
Access control policies need to
be formalized.
Constant communication is
needed to change the security
culture.
The cases of sharing and giving passwords over the phone,
writing them down are clear
violations of access control
best practices.
Since policies are good only to
the degree they are enforced,
violations should result in
some disciplinary action. This
would also enhance the security culture.
Training / Awareness
As security landscape changes
constantly, so does the need to
retool employees with latest
training (Hentea, 2005; Wilson
& Hash, 2003). For example,
training programs that are few
years old would not have included the aspect of social networking sites.
The employees need to be constantly reminded that they are
an integral part of security.
The training program needs to
be implemented and constantly
reviewed to keep up with the
changes.
TKU should invest significant resources in raising awareness among its users. In a study of security practices in university settings, Caruso (2003) reports that the greatest barriers to security are
availability of resources and awareness. It is often the case that to achieve effective security, focus should be on humans, not technology itself (Caruso, 2003). Hentea et al. (2006) report that
“User awareness and education are the most critical elements because many successful security
intrusions come from simple variations of the basics: social engineering and user complacency”
(page 228). Therefore, TKU should also ensure that proper training is provided for all employees
so that they become aware of security threats. Ideally, this training program should be recurrent,
as new threats arise continuously (Medlin & Romaniello, 2007). It is recommended that employ-
93
Information Security Disaster
ees take security training and, then, keep up-to-date with a refresher course once a year. Further,
employees responsible for sensitive information need to be properly trained with respect to regulatory compliance. For example, proper training in social engineering aspects could have provided the employees with the tools needed to identify these type of attacks and could have probably avoided the TKU’s breach. As Mitnick (2003) argues, the weakest link in the security chain is
not technological, but it is the human element. He provides simple examples about how even with
sound technical defenses, it is still possible for an attacker to gain upper hand by using social engineering. Such training could bolster the work force and can make the employees cognizant and
cautious in their approach to security.
Another place in which the process and technology need to improve is with respect to access control. Currently, TKU has a very weak password policy and it should be improved. However, the
password issues faced by TKU are not uncommon. In a study of health care workers, it was found
that passwords used to protect sensitive patient information had significant problems (Medlin &
Romaniello, 2007). For example, it is reported that some users had same or similar passwords as
their usernames. Another study of actual e-commerce passwords revealed that one-third of users
used very weak passwords and the time it took to crack these passwords was less than a minute
(Cazier & Medlin, 2006). A recent study studying users’ password practices found that users
don’t use strong passwords (Barra, McLeod, Savage, & Simkin, 2010). A typical strong password
consists of alpha numeric characters (upper and lowercase), symbols, and is at least 8 characters
long. Also, studies have revealed that individuals (especially in university settings) are willing to
give their own and their friends’ passwords for some token gifts (Smith, 2004). Given the problems with remembering passwords and the simplicity of passwords, it is proposed that users develop and utilize passphrases to improve password security (Keith, Shao, & Steinbart, 2009). Users should also be discouraged from sharing or mailing passwords and principles of ‘least privilege’ required to perform a job should be adopted (Merkow &Breithaupt , 2005). Further, keeping
up with industry standards, TKU should consider moving away from using social security numbers for identification.
Conclusion
This paper begins by discussing the importance of using case studies as a pedagogical approach.
It is noted that the majority of data breaches since 2005 occur in educational institutions. Therefore, it is important to address this segment so that appropriate protections are in place. To this
end, Gartner research recommends the use of case studies in educational settings to improve the
security (Lowendahl et al., 2006). Accordingly, the case presented here deals with the issue of
data breach at a university. The events leading up to the breach and the subsequent analysis are
presented. In conclusion, the case demonstrates the security problems and proposes possible solutions in an educational setting.
References
Auster, E. R., & Wylie, K. K. (2006). Creating active learning in the classroom: A Systematic Approach.
Journal of Management Education, 30(3), 333-353.
Austin, R. D., & Darby, C. A. R. (2003). The myth of secure computing. Harvard Business Review, June,
120-126.
Barra, R., McLeod, A., Savage, A., & Simkin, M.G. (2010). Passwords: Do user preferences and website
protocols differ from theory? Journal of Information Privacy and Security, 6(4), 50-69.
Bok, D. (1986). Higher learning. Cambridge: Harvard Business Press.
Bradford, B. M., & Peck, M. W. (1997). Achieving AECC outcomes through the seven principles for good
practice in undergraduate education. Journal of Education for Business, 72, 364-368.
94
Ayyagari & Tyks
Caruso, J. B. (2003). Information technology security: Governance, strategy, and practice in higher education. ECAR, 1-7.
Cazier, J. A., & Medlin, B. D. (2006). How secure is your password? An analysis of e-commerce passwords and their crack time. Journal of Information Systems Security, 2(3), 69-82.
Coutu, D. (2007). We googled you. Harvard Business Review, 2007, 37-42.
Davenport, T. H., & Harris, J. G. (2007). The dark side of customer analytics. Harvard Business Review,
May, 37–41.
Eisenmann, C. (2009). When hackers turn to blackmail. Harvard Business Review, October, 39–42.
Fusaro, R. A. (2004). None of our business? Harvard Business Review, December, 33–38.
Goorha, P., & Mohan, V. (2009). Understanding learning preferences in the business school curriculum.
Journal of Education for Business, 85(3), 145-152.
Gregg, M. (2008). Build your own security lab: A field guide to network testing. Indianapolis: Wiley.
Haggerty, N. R. D., & Chandrasekhar, R. (2008). Security breach at TJX. Ivey Publishing, 9B08E003.
Hentea, M. (2005). A perspective on achieving information security awareness. Issues in Informing Science
and Information Technology, 2, 169-178.
Hentea, M., Dhillon, H.S., & Dhillon M. (2006). Towards changes in information security education. Journal of Information Technology Education, 5, 221-233. Retrieved from
http://www.jite.org/documents/Vol5/v5p221-233Hentea148.pdf
Keith, M., Shao, B., & Steinbart, P. (2009). A behavioral analysis of passphrase design and effectiveness.
Journal of the Association for Information Systems, 10(2), 63-89.
Kim, Y., Hsu, J., & Stern, M. (2006). An update on the IS/IT Skills gap. Journal of Information Systems
Education, 17(4), 395-402.
Kroenke, D. M. (2012). Using MIS. New Jersey: Prentice Hall.
Laudon, K., & Laudon, J. (2010). Management information systems. New Jersey: Prentice Hall.
Lowendahl, J-M., Zastrocky, M., & Harris, M. (2006). Best practices for justifying and allocating highereducation security resources. Gartner Research, G00137454.
McNulty, E. (2007). Boss, I think someone stole our customer data. Harvard Business Review, September,
37-42.
Medlin, B. D. & Romaniello, A. (2007). An investigative study: Health care workers as security threat suppliers. Journal of Information Privacy and Security, 3(1), 30-46.
Merkow, M., & Breithaupt, J. (2005). Information security: Principles and practices. New Jersey: Prentice
Hall.
Meyers, C., & Jones, T. (1993). Promoting active learning: Strategies for the college classroom. San Francisco: Jossey-Bass.
Mitchell, R. C. (2004). Combining cases and computer simulations in strategic management courses. Journal of Education for Business, 79(4), 198-204.
Mitnick, K. D. (2003). Are you the weak link? Harvard Business Review, April, 18–20.
Panko, R. P. (2009). Corporate computer and network security. New Jersey: Prentice Hall.
Pariseau, S. E., & Kezim, B. (2007). The effect of using case studies in business statistics. Journal of Education for Business, 83(1), 27-31.
Privacy Rights Clearinghouse. (2011). http://www.privacyrights.org Retrieved August 18, 2011.
Qayoumi, M. H., & Woody, C. (2005). Addressing information security risk. EDUCAUSE Quarterly,
28(4), 7-11.
95
Information Security Disaster
Richards, L. G., Gorman, M., Scherer, W. T., & Landel, R. D. (1995). Promoting active learning with cases
and instructional modules. Journal of Engineering Education, 84(4), 375-381.
Scarfone, K., & Souppaya, M. (2009). Guide to enterprise password management. NIST Special Publication 800-118.
Schenberger, S., & Mark, K. (2001). DoubleClick Inc.: Gathering customer intelligence. Ivey Publishing,
9B01E005.
Shapiro, B. P. (1984). An introduction to cases. Harvard Business School Note, 9-584-097.
Smith, S. W. (2004). Probing end-user IT security practices – through homework. Educause Quarterly,
27(4), 68-71.
Sridhar, V., & Bhasker, B. (2003). Managing information security on a shoestring budget. Annals of Cases
on Information Technology, 5, 151-167.
Thomson, K-L., von Solms, R., & Louw, L. (2006). Cultivating an organizational information security culture. Computer Fraud & Security, 10, 7-11.
Wilson, M., & Hash, J. (2003). Building an information technology security awareness and training program. NIST Special Publication 800-50.
Wingfield, S. S., & Black, G. S. (2005). Active versus passive course designs: The impact on student outcomes. Journal of Education for Business, 81(2), 119-123.
Biographies
Dr. Ramakrishna Ayyagari is an Assistant Professor in Information
Systems at the University of Massachusetts at Boston. He earned his
doctorate in management from Clemson University. His work has been
published or forthcoming in outlets such as MIS Quarterly, European
Journal of Information Systems, Journal of the AIS, Decision Sciences,
and the proceedings of various conferences.
Jonathan Tyks has been employed in the Information Technology
field for over ten years. He holds a bachelor’s degree in Management
Information Systems from Bridgewater State University and an MBA
from The University of Massachusetts at Boston. He currently resides
in Boston, MA.
96
Running Head: SECURITY GAP ANALYSIS
Security Gap Analysis
Allen Pinckney
Festus Onyegbula, D.Sc, MBA, MS
CSIA 485
November 6, 2016
1
SECURITY GAP ANALYSIS
2
SECURITY GAPS ANALYSIS
Information security of the organization basically is the responsibility of every
stakeholder within the organization. With the advancement in technology organizations are
relying more on technology in their operations than in the past. At the same time information
security threats are seeming occurring with unparalleled speed and complexity. The security gaps
in organization exist when the organization has not established appropriate policies and
guidelines in protecting
organization’s critical information, the organization’s security
architecture is not in line with the current technological advancement and inadequate training
programs and competitive staff in providing services and conducting its operations (Bernard,
2007).
In establishing and upholding an information security program the following steps are
followed: first evaluate and measure the current program, recognize and implement the necessary
improvement and finally manage the continuing process. The security issues with the
organization needs an instant action. By connecting tactical organization objectives with the data
information security needs and recognizing exceptional safety challenges and opportunities will
facilitate establishing of a safety program aimed at safeguarding organization’s resources from
unauthorized access.
In this case study numerous security gaps are identified. For instance: the data recovery
and business continuity plans were not fully implemented across all facilities within the
organization. Further, the evaluation of the network indicates some incidence of redundancies
being implemented over the network perimeter, not keeping up to date or adjusting of policies as
the organization keeps on expanding its base and operations, a gap in the security levels also was
noted (LeVeque, 2005). The security level is inconsistent with the kind of data being stored. The
SECURITY GAP ANALYSIS
3
case study revealed instances of data being stored in employees the practice which is unaccepted
as per the set standards of safe recording keeping and finally inadequate staff training programs
for example in the case study the employees lacks some skills in dealing with Data
Recovery/Business Continuity plans.
The security strategy by any given organization is designed to safeguard the availability,
integrity and confidentiality of information within the organization. The strategy provides an
organized approach to deals with any disaster or security breaches within the organization. The
information within the organization is at a constant risk from diverse sources like faults
committed by users, malevolent and non-malicious attacks which can provide a chance to
attackers who can have access to the system, interrupt services, freeze the system or steal data
from the target company (Gupta & Shukla, 2016).
The security strategy involves three key elements: confidentiality, this element safeguard
information in the system from unauthorized disclosure, integrity which protects the information
data from unlawful, unanticipated or not deliberate alteration and lastly availability which
suggests that information with the organization should be made available on the timely basis in
order to accomplish the organization’s missions and avoid any potential losses.
From the risk assessment report, it indicates that the organization’s data keeping
procedures, policies and facilities are not well established. For instance in some processing
facilities the data tapes were stored in operational manager’s facilities. This will not only make
the records vulnerable but also their credibility can be in question. To counter this, an amenity or
system ought to be developed for safe keeping of the records and for easy retrieval. Policies
should be in place defining the access procedure and access level to the system information. This
move will enhance the security, integrity and available of the records (Patra & Rao, 2016).
SECURITY GAP ANALYSIS
4
Network and system security architecture is another crucial strategy. This strategy aims to
minimize data loss, an enhanced safety of the system and network services. This is methodology
is aimed at providing the capability of isolating organization’s resources based on data, how
critical they are and their functionality. Suitable control will be employed at each and every level
to mitigate any risks which are linked to the assets. This strategy will benefit the organization in
ways like: improving the safety of the data and networks by applying methodical safety that will
implement the policies, it also provides the capability of identifying high risk places and channel
the security resources to protect the organization’s most crucial resources and finally it offers a
defense system which will facilitate prevention and location of any imminent attacks
Information security awareness training programs
This strategy is aimed at enhancing the security of the network because information
security does not just involve technology but also people who use the system. The strategy
initiates programs aimed educating the employees on their responsibilities for safeguarding the
organization’s information at their hand. This stratagem also proposes establishment diverse
information sharing platforms to facilitate communication within the organization. The core
benefits which comes with this tactical is: it helps in creating cognizance of security threats in
the organization and its consequences on information systems. In the end security incidents will
reduce considerable and all the employees will have a common knowledge on the information
system they handle in the organization (LeVeque, 2005).
Identity and access controlling strategy
This approach is adept of managing the vast resources of the organization. The approach
will offer verification and permission services to all information system facilities and connects
SECURITY GAP ANALYSIS
5
all departments within the organization. This move will enhance collaboration within all
departments. This strategy will also encompass procedure and policies which will ensure that
stated tactic evolves as technology and desires of the organization commands. The approach will
benefits the organization in numerous ways. For example there will be improved security
through unvarying and continuous access control procedures, minimized potential for security
breaches and penalties due to non-compliance with the federal rules and regulations.
Business continuity and disaster recovery strategy
This approach is structured in a way that it establishes and implements test plans to make
sure that all systems within the organization remains functioning and accessible at all times. This
strategy will benefit the organization in that it will enable the organization to continuously offer
essential services in an event of any tragedy or emergency and it makes sure that the organization
is able to recover the services to its clients within shortest time frame (Bernard, 2007).
For most information security systems selection of password is very crucial in protecting
of information against hackers and other unauthorized access to the systems. This idea is to
generate passwords that is difficult to guess and crack. To make the password exception, they
should designed in a way that they are extensive and arbitrary instead of using words which are
not easy to guess. The individual charged with the responsibility of the security of the
organization should have passwords which expires within short time to enhance security of the
organization. Considering the case study the password will limit the access to the system facility
within the organization and also it will set access levels in that way crucial resources are protect
against any intended malicious attacks.
SECURITY GAP ANALYSIS
6
Encryption alternative is another crucial security solution
It is very essential to include some kind of encryption in programs, computers and data.
This move is ideal when handling critical information in the organization. This approach is
aimed at ensuring that only the intended recipient have the access to the transmitted information
over the company networks. This approach promotes confidentiality and integrity of information
since it difficult to break the encryption to be able to modify information. In addition to be above
mentioned solutions the organization should also perform penetration testing on a regular basis
to check on safety of the networks (Ahmad, Maynard & Shanks, 2015).
The consultation and evaluation process which is the basis of discovering security
weaknesses and needs of the organization. This process is estimated to take up to four months to
comprehensively cover all departments and document the finding and the intended changes to
the security infrastructure. The next step involving establishing security training and awareness
program, this approach is intended for keeping the employees updated on password practices
management, communicating steadily between the management and other staff members and
also on effective ways on managing information and other resources within the organization.
This phase is estimated to take up to three months but is designed to be conducted on quarterly or
annual basis to keep employees updated on the technological advancements (Ahmad, Maynard &
Shanks, 2015). The estimated cost for encryption is $232 per annum on a single user, other
training programs will depend on the number of staff and available amenities in the organization.
Create Roe-Based Access Control and implement system logging –based access
control to manage the entry or denial access to the organization’s network based on the access
levels and job categories of the employees. This will prevent individuals from accessing the files
or information they are not supposed to access.
SECURITY GAP ANALYSIS
7
Establish secure Remote Access approaches
This will add more convenience to users of the systems in accessing the resources. The
channel is secure since it offers facility for sending encrypted information thus ensuring the
safety of information in transit.
8
SECURITY GAP ANALYSIS
References
Ahmad, A., Maynard, S. B., & Shanks, G. (2015). A case analysis of information systems and
security incident responses. International Journal of Information Management, 35(6),
717-723
Bernard, R. (2007). Information Lifecycle Security Risk Assessment: A tool for closing security
gaps. Computers & Security, 26(1), 26-30
Gupta, K., & Shukla, S. (2016, February). Internet of Things: Security challenges for next
generation networks. In Innovation and Challenges in Cyber Security (ICICCSINBUSH), 2016 International Conference on (pp. 315-318). IEEE
LeVeque, V. (2005). Information Security Strategic Planning. John Wiley & Sons.
Patra, L., & Rao, U. P. (2016, October). Internet of Things—Architecture, applications, security
and other major challenges. In Computing for Sustainable Global Development
(INDIACom), 2016 3rd International Conference on (pp. 1201-1206). IEEE.
UC, N. A., Basso, T., Matsunaga, R., UC, P. S., Moraes, R., UC, M. V., & Level, D. (2016). D6.
1: Requirements and Coordinated Security Strategy.
Running Head: SECURITY GAP ANALYSIS
1
SECURITY GAP ANALYSIS
2
SECURITY GAPS ANALYSIS
Information security of the organization basically is the responsibility of every
stakeholder within the organization. With the advancement in technology organizations are
relying more on technology in their operations than in the past. At the same time information
security threats are seeming occurring with unparalleled speed and complexity. The security gaps
in organization exist when the organization has not established appropriate policies and
guidelines in protecting
organization’s critical information, the organization’s security
architecture is not in line with the current technological advancement and inadequate training
programs and competitive staff in providing services and conducting its operations (Bernard,
2007).
In establishing and upholding an information security program the following steps are
followed: first evaluate and measure the current program, recognize and implement the necessary
improvement and finally manage the continuing process. The security issues with the
organization needs an instant action. By connecting tactical organization objectives with the data
information security needs and recognizing exceptional safety challenges and opportunities will
facilitate establishing of a safety program aimed at safeguarding organization’s resources from
unauthorized access.
In this case study numerous security gaps are identified. For instance: the data recovery
and business continuity plans were not fully implemented across all facilities within the
organization. Further, the evaluation of the network indicates some incidence of redundancies
being implemented over the network perimeter, not keeping up to date or adjusting of policies as
the organization keeps on expanding its base and operations, a gap in the security levels also was
noted (LeVeque, 2005). The security level is inconsistent with the kind of data being stored. The
SECURITY GAP ANALYSIS
3
case study revealed instances of data being stored in employees the practice which is unaccepted
as per the set standards of safe recording keeping and finally inadequate staff training programs
for example in the case study the employees lacks some skills in dealing with Data
Recovery/Business Continuity plans.
The security strategy by any given organization is designed to safeguard the availability,
integrity and confidentiality of information within the organization. The strategy provides an
organized approach to deals with any disaster or security breaches within the organization. The
information within the organization is at a constant risk from diverse sources like faults
committed by users, malevolent and non-malicious attacks which can provide a chance to
attackers who can have access to the system, interrupt services, freeze the system or steal data
from the target company (Gupta & Shukla, 2016).
The security strategy involves three key elements: confidentiality, this element safeguard
information in the system from unauthorized disclosure, integrity which protects the information
data from unlawful, unanticipated or not deliberate alteration and lastly availability which
suggests that information with the organization should be made available on the timely basis in
order to accomplish the organization’s missions and avoid any potential losses.
From the risk assessment report, it indicates that the organization’s data keeping
procedures, policies and facilities are not well established. For instance in some processing
facilities the data tapes were stored in operational manager’s facilities. This will not only make
the records vulnerable but also their credibility can be in question. To counter this, an amenity or
system ought to be developed for safe keeping of the records and for easy retrieval. Policies
should be in place defining the access procedure and access level to the system information. This
move will enhance the security, integrity and available of the records (Patra & Rao, 2016).
SECURITY GAP ANALYSIS
4
Network and system security architecture is another crucial strategy. This strategy aims to
minimize data loss, an enhanced safety of the system and network services. This is methodology
is aimed at providing the capability of isolating organization’s resources based on data, how
critical they are and their functionality. Suitable control will be employed at each and every level
to mitigate any risks which are linked to the assets. This strategy will benefit the organization in
ways like: improving the safety of the data and networks by applying methodical safety that will
implement the policies, it also provides the capability of identifying high risk places and channel
the security resources to protect the organization’s most crucial resources and finally it offers a
defense system which will facilitate prevention and location of any imminent attacks
Information security awareness training programs
This strategy is aimed at enhancing the security of the network because information
security does not just involve technology but also people who use the system. The strategy
initiates programs aimed educating the employees on their responsibilities for safeguarding the
organization’s information at their hand. This stratagem also proposes establishment diverse
information sharing platforms to facilitate communication within the organization. The core
benefits which comes with this tactical is: it helps in creating cognizance of security threats in
the organization and its consequences on information systems. In the end security incidents will
reduce considerable and all the employees will have a common knowledge on the information
system they handle in the organization (LeVeque, 2005).
Identity and access controlling strategy
This approach is adept of managing the vast resources of the organization. The approach
will offer verification and permission services to all information system facilities and connects
SECURITY GAP ANALYSIS
5
all departments within the organization. This move will enhance collaboration within all
departments. This strategy will also encompass procedure and policies which will ensure that
stated tactic evolves as technology and desires of the organization commands. The approach will
benefits the organization in numerous ways. For example there will be improved security
through unvarying and continuous access control procedures, minimized potential for security
breaches and penalties due to non-compliance with the federal rules and regulations.
Business continuity and disaster recovery strategy
This approach is structured in a way that it establishes and implements test plans to make
sure that all systems within the organization remains functioning and accessible at all times. This
strategy will benefit the organization in that it will enable the organization to continuously offer
essential services in an event of any tragedy or emergency and it makes sure that the organization
is able to recover the services to its clients within shortest time frame (Bernard, 2007).
For most information security systems selection of password is very crucial in protecting
of information against hackers and other unauthorized access to the systems. This idea is to
generate passwords that is difficult to guess and crack. To make the password exception, they
should designed in a way that they are extensive and arbitrary instead of using words which are
not easy to guess. The individual charged with the responsibility of the security of the
organization should have passwords which expires within short time to enhance security of the
organization. Considering the case study the password will limit the access to the system facility
within the organization and also it will set access levels in that way crucial resources are protect
against any intended malicious attacks.
SECURITY GAP ANALYSIS
6
Encryption alternative is another crucial security solution
It is very essential to include some kind of encryption in programs, computers and data.
This move is ideal when handling critical information in the organization. This approach is
aimed at ensuring that only the intended recipient have the access to the transmitted information
over the company networks. This approach promotes confidentiality and integrity of information
since it difficult to break the encryption to be able to modify information. In addition to be above
mentioned solutions the organization should also perform penetration testing on a regular basis
to check on safety of the networks (Ahmad, Maynard & Shanks, 2015).
The consultation and evaluation process which is the basis of discovering security
weaknesses and needs of the organization. This process is estimated to take up to four months to
comprehensively cover all departments and document the finding and the intended changes to
the security infrastructure. The next step involving establishing security training and awareness
program, this approach is intended for keeping the employees updated on password practices
management, communicating steadily between the management and other staff members and
also on effective ways on managing information and other resources within the organization.
This phase is estimated to take up to three months but is designed to be conducted on quarterly or
annual basis to keep employees updated on the technological advancements (Ahmad, Maynard &
Shanks, 2015). The estimated cost for encryption is $232 per annum on a single user, other
training programs will depend on the number of staff and available amenities in the organization.
Create Roe-Based Access Control and implement system logging –based access
control to manage the entry or denial access to the organization’s network based on the access
levels and job categories of the employees. This will prevent individuals from accessing the files
or information they are not supposed to access.
SECURITY GAP ANALYSIS
7
Establish secure Remote Access approaches
This will add more convenience to users of the systems in accessing the resources. The
channel is secure since it offers facility for sending encrypted information thus ensuring the
safety of information in transit.
8
SECURITY GAP ANALYSIS
References
Ahmad, A., Maynard, S. B., & Shanks, G. (2015). A case analysis of information systems and
security incident responses. International Journal of Information Management, 35(6),
717-723
Bernard, R. (2007). Information Lifecycle Security Risk Assessment: A tool for closing security
gaps. Computers & Security, 26(1), 26-30
Gupta, K., & Shukla, S. (2016, February). Internet of Things: Security challenges for next
generation networks. In Innovation and Challenges in Cyber Security (ICICCSINBUSH), 2016 International Conference on (pp. 315-318). IEEE
LeVeque, V. (2005). Information Security Strategic Planning. John Wiley & Sons.
Patra, L., & Rao, U. P. (2016, October). Internet of Things—Architecture, applications, security
and other major challenges. In Computing for Sustainable Global Development
(INDIACom), 2016 3rd International Conference on (pp. 1201-1206). IEEE.
UC, N. A., Basso, T., Matsunaga, R., UC, P. S., Moraes, R., UC, M. V., & Level, D. (2016). D6.
1: Requirements and Coordinated Security Strategy.
Running Head: SECURITY GAP ANALYSIS
1
SECURITY GAP ANALYSIS
2
Introduction
Security gap analysis refers to the process of assessing and evaluating the difference in
performance between a firm’s information systems to ascertain whether the necessary
requirements are met, and if not, the relevant steps to be taken so as to ensure that the
requirements are met successfully. This process entails identifying the security gaps present in an
organization’s information system and devising ways to fill the identified gaps. Performing a
security gap analysis against an organization’s network is an exercise that is highly
recommended and beneficial, although it’s rarely conducted correctly. Security gap analysis
entails reviewing an organization’s network against a set standard to ascertain areas that need to
be improved (Karabacak, Sogukpinar, 2006). This paper will analyze the presence of security
gap in Bank Solutions Inc, and the technology to be adopted in order to fill the gap.
Summary of the paper
The security of a firm’s information system is very crucial as it determines the ability of a
firm to meet its overall goals and objectives. Bank Solutions Inc. is a financial institution that
provides item processing services to other financial institutions such as banks, credit unions,
internet banks, and savings and loan associations among others. The company’s information
system contains numerous security gaps that need to be addressed. One of the key security issues
that should be addressed is the company’s data recovery and business continuity plan. Not all of
the company’s key plan participants have a copy of the data recovery and business continuity
plan. This is because the DRBCPs are stored in the company’s network, which is then replicated
to all data centers via backup tape.
SECURITY GAP ANALYSIS
3
In order to effectively address the aforementioned issue, the company should adopt a
technology that ensures that the data recovery and business continuity plans are stored safely and
also can be accessed by all key plan participants. For this reason therefore, the company should
adopt the cloud technology. This technology will not only guarantee the safety of the DRBCPs,
but also ease accessibility. Cloud storage technology will cost the company approximately $0.02
per GB per month and the company will also be required conduct frequent maintenance.
Moreover, the implementation of cloud storage technology will enable the company to achieve
scalability and flexibility.
Capabilities of the technology
Cloud computing entails the delivery of IT resources over the internet. It allows the company
to respond faster to the needs of its business, at the same time drive greater operational
efficiencies. Adopting cloud computing will enable the company to achieve scalability and
flexibility.
1. Flexibility-cloud computing will allow the company’s key stakeholders to access data
recovery and business continuity plan using their web-enabled devices like laptops,
smartphone and notebooks. The company’s DRBCP contains steps that should be taken
to resume operations after an occurrence of a disaster. For this reason, this plan is
essential for the continuity of the company and therefore all the relevant stakeholders
should access it.
2. Scalability-in addition to flexibility, adopting the cloud computing technology will
enhance scalability. This technology will allow the company to easily downscale or
SECURITY GAP ANALYSIS
4
upscale its IT requirements when deemed necessary. According to the company’s Chief
Information Officer, Douglas Smith, the DRBCPs are stored on the network and
replicated across data centers. However, with the implementation of the cloud computing
technology, the company will be able to downscale its IT requirements such as data
centers and backup tape.
3. Ubiquitous Access- with the adoption of cloud computing services, the company’s
employees will be able to access the services from various platforms and devices
globally. In addition to accessing the data recovery and business continuity plan, the
company’s stakeholders will also be able to store and retrieve files anywhere at any time
(ComPUtING, 2011).
Costs involved with the technology
There are several costs that are involved with the adoption and implementation of cloud
computing services. These costs range from service provider costs to installation costs. Moving
data and storing them in the cloud will cost the company thousands of dollars. In addition, cloud
provider (s) will charge the company upload and download fees. The price of cloud storage is
based on a flat rate for usage and storage. The storage usage and bandwidth usage are calculated
in terms of gigabyte, and the charges accrue daily. The charges the company will incur for cloud
storage services are $0.02 per GB per month. In addition, the company will also incur
maintenance and training costs. The former entails the costs the company will incur in
conducting frequent maintenance of their cloud storage account (s), whereas the latter entails the
cost of training the employees on how to store and access data recovery and business continuity
plans and other uploaded files.
SECURITY GAP ANALYSIS
5
Maintenance requirements of the new technology
Like any other technology, cloud computing technology requires regular maintenance.
Even though the cloud service providers perform the system maintenance, the company also has
some roles to play. In order for the company to enhance optimization and improvement of the
technology, it has to develop the integration operation management mode. Bank Solutions Inc.,
should build a mature and perfect IT operation service platform. Moreover, it should engage in
daily monitoring, IT systems maintenance, configuration management, fault treatment, and
service acceptance among others. The data centers should also be flexible in a way that it easily
integrates with the cloud storage platform.
Retrieved: http://cloudonline.info/benefits-of-cloud-computing-and-drawbacks/
Flexibility of cloud computing
SECURITY GAP ANALYSIS
6
Adopting and migrating most of company’s data into the cloud basically would mean
great value to the company in terms of flexibility. It is imperative to note that the more flexible
the technology is, the more it helps in transforming the business model of the company which
improves on the general efficiency of the company’s operation. Adopting cloud computing for
the company will ensure the company has an opportunity to transform their business model and
gain a competitive edge. The flexibility that comes with cloud competing basically allows
employees of the company to maintain efficient work practices. Having backed up files in the
cloud will also ensure more flexible access to the data in a safe and secure manner. Flexibility of
cloud computing also comes in the sense that it allows access of the company data at any
location so the managers of Bank Solution Inc. are able to access the Banks data at any location
without having to move with other data storage devices which may risks the security of the
company data. Having data backed up the cloud has the potential of allowing virtual office and
quick and easy accessibility of the data whenever there is a need through any web-enabled
devices for the company.
Feasibility for implementation
Feasibility for implementing cloud computing entails undertaking feasibility study to
ascertain whether the implementing the technology will be feasible within the company.
Undertaking feasibility analysis basically will result in a feasibility report and includes service
improvement, value chain and the overall IT enabled strategy. Leveraging cloud computing
generally require undertaking a feasibility analysis including leveraging costs and benefit,
efficiency and the general agility of the technology. It is imperative to note that implementing
cloud computing will result into high efficiency in terms of business operation of the company.
SECURITY GAP ANALYSIS
7
Pros of the technology
The following are some of the benefits of adopting cloud computing services;
1. Flexibility-cloud computing enables the company’s employees and other stakeholders to
easily access data and files using devices such as laptops and smart phones. The
company’s stakeholders can upload and download files easily at any time, hence enhance
efficiency and flexibility.
2. Cost efficiency-another benefit of adopting cloud computing technology is that is reduces
costs. Using this technology will enable the company to eliminate costs such as
downsizing and scalability costs and also eliminate heavy capital expenditure. In
addition, costs related to maintaining and managing IT systems will also be eliminated
with the adoption of cloud computing services.
3. Business continuity-cloud computing enables the company to ensure that it continues to
operate after an occurrence of a disaster. Protecting systems and other important data is
essential part of business continuity planning. In an occurrence of a disaster, the company
will continue its normal operations as data is stored and backed up in a secure location.
4. Access to automatic updates-another benefit of cloud computing is that it will
automatically update the company’s IT systems with the latest technology.
5. Manageability-cloud computing enhance IT maintenance and management capabilities
via central administration of resources and infrastructure. IT maintenance and
infrastructure updates and eliminated, as all systems are maintained and managed by the
service provider (S) (Armbrust, et al, 2010) .
SECURITY GAP ANALYSIS
8
Cons of the technology
1. Security-although cloud service providers adopt the best security measures, storing data
and files in the cloud may pose security threats. Incidences such as hacking may occur
hence compromise the security of the stored files and data.
2. Downtime-an occurrence of downtime may also occur since cloud service providers
usually take care of numerous clients every day. For this reason, the service providers
may be overwhelmed and may even experience technical outages. This can therefore
cause interruption and suspension of business processes.
3. Limited control-since the cloud platform is owned, monitored, and controlled by the
service provider, it transfers little to no control over its clients. The client can only
control data and applications, hence a limitation to the company (Mell, Grance, 2011).
Retrieved:
http://www.digitalistmag.com/industries/public-sector/2012/10/12/neediest-
industry-adopting-cloud-computing-018790
SECURITY GAP ANALYSIS
9
Potential barriers to success
The following are some of the potential barriers to cloud computing;
1. Cloud security-the fear of losing control by adopting cloud computing technology may
pose as a barrier to its successful adoption and implementation. The company’s
management and other stakeholders may fear losing control of important data and files
and thus resist its adoption.
2. Resistance to change-this is also another barrier to the adoption of cloud technology. The
company’s employees and other stakeholders may resistance the implementation of cloud
technology as it will change the status quo.
3. Return on investments-one of the main questions IT professionals often ask is whether
moving to the cloud is worth it. Issues such as costs that might be incurred in the
transition pose as a barrier to the successful implementation of this technology.
Vulnerabilities reduced or eliminated
With the adoption and implementation of cloud technology, security issues will be
reduced and/or eliminated completely. The company will store data recovery and business
continuity plans and other vital files on the cloud and therefore in an event of disaster, the
data and DRBCPs and other files will be safe. This will therefore enable to company to
continue with its operations as usual (Foster, Zhao, Raicu, Lu, 2008).
Training issues
Adopting cloud computing technology will benefit the company as it will fill a security
gap. However, the issue of training employees and other stakeholders must be considered.
SECURITY GAP ANALYSIS
10
The company should device ways on how to train employees on the use and application of
the technology. This will enable the employees to familiarize themselves with the new
technology, and also reduce the occurrence of resistance to change.
Conclusion
In conclusion, security gap analysis refers to the process of identifying a security gap in
the IT systems and networks and devising ways on how to fill it. Data recovery and business
continuity plan is important to the company as it contains steps that the company should take
in order to restore its operations to normal. Therefore, this plan should be accessed by all the
key stakeholders such as the management, employees, shareholders, creditors, and suppliers
among others. Storing the DRBCPs and other data in the cloud will enable the stakeholders
to access them and also guarantee their security.
11
SECURITY GAP ANALYSIS
References
Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., … & Zaharia, M.
(2010). A view of cloud computing. Communications of the ACM, 53(4), 50-58.
ComPUtING, C. (2011). Cloud computing privacy concerns on our doorstep. Communications of
the ACM, 54(1), 36-38.
Foster, I., Zhao, Y., Raicu, I., & Lu, S. (2008, November). Cloud computing and grid computing
360-degree compared. In 2008 Grid Computing Environments Workshop (pp. 1-10). Ieee.
Karabacak, B., & Sogukpinar, I. (2006). A quantitative method for ISO 17799 gap
analysis. Computers & Security, 25(6), 413-419.
Mell, P., & Grance, T. (2011). The NIST definition of cloud computing.
T OGRAPH, B., & MORGENS, Y. R. (2008). Cloud computing. Communications of the
ACM, 51(7).
CYBER SECURITY IMPLEMENTATION PLAN
Cyber Security Implementation Plan
IMPLEMENTATION PLAN
2
INTRODUCTION
Purpose of Plan
The following plan outlines the ways in which security gaps in the information system of
Turn Key University (TKU) found in Idaho. It describes the manner in which a secure
information system will be implemented. In highlights steps for installation and deployment of a
new system, that addresses the security gaps existent in the current IS. In this plan, are the goals
and objectives of the intended system. There are overall goals for the university; that is to
alleviate instances of security shortcomings, and project objectives that are aimed at enhancing
the information systems so that they can meet requirements for safety systems in institutions.
The plan will also include the scope of the intended program, and its bounds and reaches.
Here, all elements of this project shall be outlined, as well as those beyond the scope. The
major events leading to the implementation are included, and the various aspects of the
undertaking, such as equipment and resources. Lastly, assumptions and constraints made during
the system development lifecycle shall be an essential element of this plan as well. In this
section, the expense of the deliverables shall be mentioned, as well as the several milestones.
This plan is a deliverable of the Design phase and shall be modified and updated accordingly,
throughout the Development phase. Through the solutions made available in the development
following this plan, security issues like the ones TUK is facing now will be eliminated, and the
possibility of future occurrences slimmed immensely.
IMPLEMENTATION PLAN
3
GOALS AND OBJECTIVES
Business Goals and Objectives
The institution has formulated goals and targets aimed at resuming normal operations as soon as
possible, to put an end to the already detrimental state of the school’s transaction management
system. To do so, it has set the following goals and objectives.
1. System security is the key objective, as far as the institution is concerned. Data breaches
render students’ data prone to misuse by the attacker. That could cause financial losses
and legal liabilities to the school. Hence securing the system is a top priority.
2. The development process ought not to surpass the projected budget, lest the school is
forced to cut funds for other operations, or forego this one altogether.
3. Another goal for the institution is to keep the users satisfied about the handling of their
data. The school aims at meeting user expectations with the new implementation and
seeking ways by which to reimburse users in case of any losses.
Project Goals and Objectives
The development and implementation process of this project are aimed at addressing the security
hiccups currently present in the university’s system. The key objective is to rectify the anomaly
and install preventive measures to avoid any future data breaches, or any security breach
whatsoever. Below are the individual goals and objectives of this implementation plan, and
resultant project.
1. Meet the deadline, seeing that the school’s system is lying unguarded, hence highly prone
to subsequent attacks. Finishing in time is especially useful for the institution so that it
can resume
IMPLEMENTATION PLAN
4
2. The project also seeks to remain within the budgetary bounds. Project costs ought not to
spiral, bearing in mind this is a governmental institution where the release of extra funds
could take a long time, leading to more delays and further exposure.
SCOPE
Scope Definition
This project is aimed at developing a transaction system that incorporates security
measures superior to those present in the previous system. The former system has proven
ineffective in protecting the data of the various stakeholders. It is needed, considering that the
system handles financial information, and breaches may result in financial losses to the users. It
will be beneficial to both the users and the institution since it is a core element of the university’s
daily operations. It is estimated that almost all of the 6000 students in the school use the system
at some point, with a significant number of them using it a couple of times every day. As such,
the school’s internal environment shall be free of external disturbances of its security systems
(Moustafaev, 2014).
The project development comes shortly after a data breach rendered previous security
measures futile. Besides replacement of the current system, the new one shall include elements
that are up to date with current technologies. The migration comes at a point where the previous
system was near obsolete, seeing that it has been in place since 2000. The new system will entail
new security policies and an IS culture.
Items Beyond Scope
1. The project does not account for the financial management systems in the games
department or the student library. Also, it leaves out the subset of the transaction
IMPLEMENTATION PLAN
5
management system that is used at the staff eatery. Despite being an extension of this
project, it is beyond this scope. It is so because it entails other features not available for
the students, such as eating from one’s salary.
2. These other systems are on their own altogether, and not considered part of the
transaction management system used by the systems at all, regardless of any relationship
or shared resources. The reason for this is to ensure that the vulnerabilities of one system
do not comprise other people. It is a risk mitigation move that has so far, worked as
expected.
3. Furthermore, this development entails the software components alone. Even though it
will be run on upgraded equipment, the hardware elements have not been accounted for
in this plan. Any purchases, replacements, or upgrades of the material are not part of the
system implementation.
PROJECTED EXPENSES
System Development Life Cycle/Schedule
1. Requirements – the system and institution needs are gathered during this stage. These
conditions comprise of system and user functions and processes.
2. Analysis – the requirements obtained above are included in project layout and definitions.
This phase shall include the security matrices and workflow diagrams as well.
3. Design – a physical model of the system shall be developed from the logical model
above. The physical model indicates the relationships in the database and objects
definitions.
4. Development – objects from the physical model are coded. They are then integrated into
a working component.
IMPLEMENTATION PLAN
6
5. Testing – the developed component is tested through acceptance, part, and requirements
testing.
6. Implementation – the working application is placed on the server for use, and personnel
trained how to use it.
7. Maintenance – issues from this new system are handled as they arise. Suggested
modifications are tested for viability before the system is revised (Roebuck, 2012).
Milestones
The milestones of the development process shall be marked with the periodic deliverables. Each
phase in the development process shall act as a milestone, and all activities prior to the
completion shall be checked for congruency.
ASSUMPTIONS
Project Assumptions
Numerous assumptions have been made in the compilation of this plan. These assumptions are
the ideals that would see the project development run successfully within the set time and
allocated budget.
1. Members of the development team shall be available at all times. The project manager
shall be the chief coordinator of the development activities. The manager shall also
ensure that all deliverables are made on time.
2. Members will adhere to the formulated communication plan and regulations. Also, they
shall stick to the guidelines, failure to which will attract a warning, then a penalty, and
finally a dismissal from the team.
IMPLEMENTATION PLAN
7
3. Arising changes after the project requirements have been defined and set shall be
accommodated accordingly (Kendrick, 2009). It is assumed that these will not derail the
development process, or render some aspects unnecessary.
4. Besides assigned roles, the members are expected to work collectively towards the
seamless completion of the project. Therefore, corrections, modifications, and
suggestions are welcome. It is the duty of each member to see to it that all the steps are
observed and in accordance to the set goals and objectives.
CONSTRAINTS
Project Constraints
1. The development team can only contain 3 – 7 members.
2. The complete project must be implemented in six weeks’ time; that is before the next
school semester commences.
3. Development resources are somewhat limited, seeing that it is a public institution, and
procurement approvals are still pending.
4. The scope of this project is not explicit, hence leaves much room for misinterpretation.
Critical Project Barriers
Architecture on which the new system is meant to run is not present. As such, testing platforms
are a problem too. As such, the developers might have to test on leased equipment, which is
expensive, or wait until the associated equipment is purchased.
IMPLEMENTATION PLAN
8
Bibliography
Kendrick, T. (2009). Identifying and managing project risk: Essential tools for failure-proofing
your project. New York: AMACON.
Moustafaev, J. (2014). Project scope management. CRC Press.
Roebuck, K. (2012). Software Development Life Cycle (SDLC): High-impact Strategies – What
You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors.
Dayboro: Emereo Pub.
First Presidential Bank
1
First Presidential Bank
2
To: Chief Information Officer
From:
Subject: Security Plan Recommendation Memo
First Bank would require an overhaul of the existing security system since it is archaic
since 2007, and ability to help the company mitigate risks did not get tested. The report,
therefore, found that no security planning would get enacted before carrying out the proper
assessment unearths the possible weak points in the report. The study made a risks assessment
that acted as a foundation for which security plans would get implemented from various threats.
The report took the following assessment procedure before drawing conclusions
The article found that DRBCP got developed in 2007, and since then no review had
occurred on the system. According to the recommendations of the study, it appeared important
to consider the current assets against the measures that got enacted in 2007 whether it would get
relevant. The vulnerability of the system took place in 2009, and no similar instance happened
till the time of the assessment. The report clarified that the system required another testing for
to determine the faults in the processing ability of the system.
The reported also claimed that First Bank did not make a clear and succinct Recovery
Time Objectives alongside the Recovery Point Objectives both of which did not get covered in
the initial deployment plan. The company enabled the placement of objective each of which
would ensure that the organization works towards the set objectives. . The report identified all
the First Bank assets that required protection, then the necessary proceeded and attached a risk
level against each asset. Finally, the report identified the cost, time, and effort that would get
spent to contain each of the threat, and place Fist Bank at a safe position.
First Presidential Bank
3
Introduction
The reports intend to carry a thorough implementation of security planning. The article
notes that before the performance of the plan, there has to occur an assessment that would
reveal the weaknesses of the incumbent system. The planning process takes place within a
limited time span covering the policies of security and placement of controls meant to prevent
or reduce the chances of occurrence of computer risks. The paper took part in the creation of
guidelines that relied on the organizational goals and outcomes of the assessment. The paper
would engage the reader in technology and features that computer professionals would best feel
are important.
Body
The report, therefore, found that no security planning would get enacted before carrying
out the proper assessment unearths the possible weak points in the report. According to Kaplan
et al., (2014), the study made a risks assessment that acted as a foundation for which security
plans would get implemented from various threats. The report took the following assessment
procedure before drawing conclusions. The report identified all the First Bank assets that
required protection, then the necessary proceeded and attached a risk level against each asset.
Finally, the report identified the cost, time, and effort that would get spent to contain each of the
threat, and place Fist Bank at a safe position.
The article found that DRBCP got developed in 2007, and since then no review had
occurred on the system. According to the recommendations of the study, it appeared important
to consider the current assets against the measures that got enacted in 2007 whether it would get
First Presidential Bank
4
relevant. The vulnerability of the system took place in 2009, and no similar instance happened
till the time of the assessment. The report clarified that the system required another testing for
to determine the faults in the processing ability of the system.
The reported also claimed that First Bank did not make a clear and succinct Recovery
Time Objectives alongside the Recovery Point Objectives both of which did not get covered in
the initial deployment plan. The company enabled the placement of objective each of which
would ensure that the organization works towards the set objectives.
According to Kaplan et al., (2014), the report also found that not all members had
acquired the security plan copy, therefore leaving them in the dark with the inability to
undertake the security measures as required by laws of the Bank. Despite the fact that a copy of
the plan had existed within the network did not mean that each person would get to its location.
Therefore it was prudent if they receive a copy each.
The participants responsible for the implementation of DRBCP did not undergo formal
training, therefore required to get trained for the particular areas that they would give
precedence when using the security plans. According to Singer, and Friedman, (2014), the report
argued that placing the people with had administrative powers within the system since the
system required to note the log the events. Therefore, the system had to get separated from the
employees since they would alter the activity log that occurred in the system.
The network also required an entire overhaul into the placement of the system’s
network resources. For example, routers, IDS, and load-balancers that got placed redundantly
would get put in a standard manner, taking care of the distances between the gadgets. The
First Presidential Bank
5
process and backup plans that failed would get reviewed as well. Worst of all being that they
gave their data backups to other companies to help them remain private.
Technology measures
The risk management team comprised personnel mandated with the monitoring,
defining, correction of the present information systems for the possibility of risks that would
take place. According to Kaplan et al., (2014), the team made considerations based on detection,
corrective and preventive types of technologies that would also generate reports and audit of the
system at any time. The team discussed three critical technologies, including the risk
management dashboard, network anomaly detection and anti-malware.
Risk management dashboard
The report claimed that it is one of the essential forms of technology in planning for data
security. The study explained a proper risk management dashboard being a system that provides
a universal approach to ensuring that regulatory, health risks, risk management processes, and
policy compliance. Those above would take become successful when the dashboard integrates
disparate information about health-related products and disparate security of the system.
According to Kaplan et al., (2014), the system would normalize, aggregate, and compare data
from distinct locations. The dashboard would let automated risks assessment and gathering of
facts from various parts in the company. RMD also ensures that exist information get indicated
in an elegant and showing manner. The technology would embrace technology since it acts as a
central location where the staff would manage the whole system, from a single point of view.
Anti-malware technologies
First Presidential Bank
6
The technology would assist the organization to make sure that they develop a complete
system that would attack the users or hide within the code. According to Singer, and Friedman,
(2014), there exist two means that a person may protect the system from attacks, one being antispyware and anti-virus. The study suggested that the anti-malware would monitor the entry
points of classes, through the integration of apps to the operating system. The system would not
only secure but also track conversations that take place amongst employees. However, the
system requires updating to get effective throughout its lifetime in the machine. Similarly,
useful application of anti-malware requires platforms such as firewalls, administrative rights to
gain access, and the presence of real-time mechanisms that would make sure that employees
contribute to the protection of the system.
Network anomaly protection
Network anomaly detection program ensures that the system’s pathways and indicators
get monitored providing the possible occurrence of suspicious behavior get thwarted
accordingly. The inclusion of firewalls, and the detection of systems that allow the transmission
of malware.
Associated costs
The expenses of the system depending on the network that gets protected, for example,
the Network Anomaly Protection takes place. The systems take at least three hundred dollars to
even a thousand dollars. On the other hand, anti-malware technologies costs from ten dollars for
the single user and they increase depending on the version or the number of computers that
would get monitored. On the other hand, risk management dashboard may cost somewhere from
hundred dollars.
First Presidential Bank
7
Expected return on investments
The implementation of the system do not generate revenue, but they make the company
prevent and save the loss of much cash through hackers, or information getting accessed by the
wrong individuals. The applications would increase the efficiency of the data transfer in the
network and let the company focus on other income generating activities.
Strategies
Proactive strategies
According to Singer, and Friedman, (2014), every method that gets implied in the
system, there ought to exist both reactive and proactive strategy. The pre-attack strategy ensures
the placement of measures that reduce the vulnerabilities of the present policies and ensure that
each of them receives the system to a safe location, through the installation of contingency
measures. The company would assess the depth of an attack then create a proactive strategy.
The reactive strategy would ensure the assessment of the damage takes place, in anticipation of
the attack then the personnel would deploy a contingency plan, which would emanate from the
study of the business running costs.
Reactive strategy
The process occurs when the proactive strategy does not offer a solution to the system,
and it offers sets of steps that get placed following an attack. The strategy enables the reduction
of damages, determines the attack vulnerabilities, and intend to repair the damages that the
resulted.
First Presidential Bank
8
Mitigation of risks
The system could reduce the impact of the risks through accepting the risks, which
however did not reduce the strategy process. Another method being risk avoidance which
appears the most expensive. Or the performance of the risk limitation which is the most
prevalent, and transference of the risk.
Barriers to success
The obstacles to the success of the project would take place from many factors such
financial gap in the management requires to perform the duties, then failure to conduct the
appropriate research methodology would generate complications. The absence of adequate
resources that drive the process could hinder the delivery of the project.
First Presidential Bank
9
Image courtesy of: https://msdn.microsoft.com/en-us/library/cc723503.secpln05_big(l=enus).gif
First Presidential Bank
10
References:
International Business Publications, Inc. (2013). Eu national cyber security strategy and
programs handbook: Strategic information and developments. Place of publication not
identified: Intl Business Pubns Usa.
Kaplan, J. M., Bailey, T., Rezek, C., OHalloran, D., & Marcus, A. (2014). Beyond
cybersecurity: Protecting your digital business.
Singer, P. W., & Friedman, A. (2014). Cybersecurity and cyberwar: What everyone needs to
know.
Purchase answer to see full
attachment
Why Choose Us
- 100% non-plagiarized Papers
- 24/7 /365 Service Available
- Affordable Prices
- Any Paper, Urgency, and Subject
- Will complete your papers in 6 hours
- On-time Delivery
- Money-back and Privacy guarantees
- Unlimited Amendments upon request
- Satisfaction guarantee
How it Works
- Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
- Fill in your paper’s requirements in the "PAPER DETAILS" section.
- Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
- Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
- From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.