Emerging GROUP & sELF REFLECTION
ITS 834 -Case Study
Solomon Enterprises
Group-4
Sindhura Nalluri
Karishma Paleja
Poorna Sai Raj Goud Parkala
Rajiv Chandra Talluri
Venkata Harish Thota
Introduction
Solomon Enterprises was established in 2018 West Virginia with a motive to offer economical virtual at-home healthcare services and network based social administrations to individual and families.
Solomon Enterprises is home to 500 individuals in five distinct areas all through the United States.
With their headquarters situation in West Virginia and regional offices in Florida, Texas, Arizona, Montana, and Missouri.
The organization is moving ahead towards a future with at-home testing, handling solutions with one tap from any device like mobile phones, iPads etc.
The headquarter location in West Virginia with a disaster recovery center located in Billings, Montana.
Employees connect to the system and database via VPN soft token authentication with unique single sign on process that is strongly encrypted.
Administrative Controls
Administrative controls in information security and the case of Solomon Enterprises would refer to procedures, guidelines, or policies that define practices of a business or its personnel according to the organization’s goals of security.
To begin with here are the Policies and Agreements that the organization has established:
Least Privilege Policy:
Controlling access to sensitive data and critical systems helps to limit compromise to the data center and would stop them from spreading to the branches (Lord, 2018).
Company Issued Device Policy:
Using company devices for personal use increases the risk of organizational security. Therefore, this would cover limited assets or applications access available to everyone with the SSL certificates and remote factory reset for stolen or lost devices.
Security Training and Awareness Program:
Security education, training, and awareness (SETA) will set the tone for the 500 employees of Solomon Enterprises, Complex passwords encrypted to meet the pre-condition of the SETA policy.
Physical Controls
It is all about securing Organization’s valuable assets physically.
Assets can be company’s IT infrastructure, sensitive data, company’s staff, and valuable devices.
IT organizations mainly focus on technical controls like firewalls, VPN and ignore physical controls which leads to many attacks (Erbschloe, 2005).
These threats can be in the form of natural disasters like floods, cyclones, earth quakes and man made attacks.
Solomon Enterprises can protect their valuable assets from natural disasters using standard building, walls, server racks (resistant to earth quakes), fire detection, suppression system.
Advices to have multiple backups of data across the region.
Intrusion alarm, motion detector, CCTV cameras, security guards can be used to protect from stealing of valuable assets.
IT is important to evaluate physical threats company might face and have a proper situational awareness about them (Speed, Woo, Kouhestani, Stubbs, & Birch, 2018).
Physical Controls
These threats can be in the form of natural disasters like floods, cyclones, earth quakes and man made attacks.
Solomon Enterprises can protect their valuable assets from natural disasters using standard building, walls, server racks (resistant to earth quakes), fire detection, suppression system.
Advices to have multiple backups of data across the region.
Intrusion alarm, motion detector, CCTV cameras, security guards can be used to protect from stealing of valuable assets.
Intruders can avoided using standard locks, identification tools like smart card, biometric.
Maintaining separate access cards (ideally with photos) for employees and visitors also make easy to identify intruder.
It is important to have multilevel security within office (Pearlson, Saunders, & Galleta, 2020).
All effects on other security controls will be wasted if the some attacker freely walked into office and accessed sensitive data.
Technical Controls
Solomon Enterprises - public or global accessible websites.
Technical controls prevents malicious events impacting data integrity.
Firewall
Firewall rules – documented and maintained
Block traffic and allow specific traffic
Expired firewall rules: unauthorized users, limitations of government regulations, incompatible applications
User Identification
Solomon Enterprises, 500 people : access privileges
Business, full-time, contractors, and consultants
Passwords
At least eight characters, at least one upper case letter or one number, not include the username. (Yıldırım, 2019)
Two-factor authentication
Technical Controls
Event Logs
System logs, authentication logs, system logs, audit logs, intrusion detection system (IDS) logs, and intrusion prevention system (IPS) logs.
IDPS
Passive system: traffic scans, threats reports, traffic flows
Encryption
Cryptography: Encryption and decryption keys
2007 Survey - 71% using encryption (Scott & Zachery, 2016).
RSA key encryption, quantum encryption, A5/1, and A5/2, etc.
Security Policies
Data security is referred as:
Confidentiality
Integrity and
Availability
Security policies are important to avoid cybercrimes.
Have to make sure that the company data is private
Include more technology which scans for vulnerabilities.
Elements in Security Policy
Policies that Govern Network Services
Managing Patches
Scanning for Vulnerabilities
Responding to the Incident
Monitoring Compliances
Account Monitoring and Control
Legislation/Regulations or industry standards
Role of legislation and regulations in governing the company:
Improves security
Minimizes the losses
Increased Control
Builds trust
Important Regulations to abide:
HIPAA: Privacy and security rules on Protected Health Information (PHI) collection and disclosure.
HITECH ACT: Regulates electronic use of health information data to prevent unauthorized access.
FISMA: Requires all the federal agencies to secure their information stored through periodic risk assessments.
GLBA: Requires the financial institutions to inform consumers on what data is collected and shared.
SOX: Enacted to improve corporate disclosures and transparency of information for auditing purpose.
STANDARDS
ISO Certification: Sets guidelines for developing standards for organizations. Some of the necessary standardizations are:
ISO/IEC 27001:2005: It lays down standards for Information security management system (ISMS).
ISO/IEC 27002:2005 Provides comprehensive standards for areas relating to information security.
ISO/IEC 38500:2008 Provides guidelines for the senior executive staff of organization for effective and efficient use of IT.
ISO 15489-1:2001 This standard emphasizes the international standardization of record management.
ISO/IEC 38500:2008 Provides a set of guidelines for the senior executive staff of the organization for effective and efficient use of IT
National Institute for Standards and Technology (NSIT) is an agency that devises metrics, lays out standards, and develops technology to enhance competitiveness and innovation in science and technology-based organizations.
Network Security Tools
Qualified security posture of Solomon Enterprise
Nmap, Wireshark, Nessus : up-to-date network, OS, and server
discover hosts and services
hosts response, cross-site, discovers bad source
Features: networks probing, system detection, advanced service detection, congestion during a scan (Kaur & Saluja, 2014)
Wireshark
Platform - Windows, Linus, Unix.
Features: network intrusion detection, port scans, vulnerability exploit. (Kaur & Saluja, 2014)
Nessus
This discovers the vulnerabilities by running between 1000-1200 checks on every device
Plugins, open-source, vulnerability patching (Deraison, 2004)
Nmap
Conclusion
Technology grew a lot in recent decades which also leads to increase in cyber threats.
IT security should be given high priority in any business (pearlson et al., 2020).
Solomon Enterprise is no exception, it should give at most important as it deals with sensitive PHI data.
Organizations should maintain standard security control, policies and also should frequently review and update them to protect their assets.
As attackers always try to find new ways to attack or hack systems no IT infrastructure is 100% secure (pearlson et al., 2020).
13
References
Lord, N. (2018). What is the Principle of Least Privilege (POLP)? A Best Practice for Information Security and Compliance. DigitalGuardian. Retrieved from https://digitalguardian.com/blog/what-principle-least-privilege-polp-best-practice-information-security-and-compliance
Fomin, V. V., Vries, H., & Barlette, Y. (2008, September). ISO/IEC 27001 information systems security management standard: exploring the reasons for low adoption. In Euromot 2008 conference, nice, france.
Gikas, C. (2010). A general comparison of fisma, hipaa, ISO 27000 and PCI-DSS standards. Information Security Journal: A Global Perspective, 19(3), 132-141.
Humphreys, T. (2005). State-of-the-art information security management system with ISO/IEC 27001:2005. ISO Management Systems, 15-18
References
Luthy, D. and Forcht, K. (2006), "Laws and regulations affecting information management and frameworks for assessing compliance", Information Management & Computer Security, Vol. 14 No. 2, pp. 155-166. https://doi.org/10.1108/09685220610655898
Smallwood, R. F. (2019). Information governance: Concepts, strategies and best practices. John Wiley & Sons.
Vanderburg, E. (2011). Information Security Compliance: Which regulations relate to me. Retrieved April 30, 2017.
E. Speed, B. L. Woo, C. G. Kouhestani, J. J. Stubbs and G. C. Birch, "Human Factors in Security," 2018 International Carnahan Conference on Security Technology (ICCST), Montreal, QC, 2018, pp. 1-5, Retrieved from doi: 10.1109/CCST.2018.8585640.
Pearlson, K. E., Saunders, C. S., & Galletta, D. F. (2020). Managing and Using Information Systems: A Strategic Approach(7th ed.). Hoboken, NJ: John Wiley & Sons, Inc. Retrieved from vbk://9781119561156
Erbschloe, M. (2005). Physical Security for IT. Digital Press.
.MsftOfcThm_Accent1_Fill { fill:#4472C4; } .MsftOfcThm_Accent1_Stroke { stroke:#4472C4; }