IT Governance
1
MIS 673 Cyber Security Governance
Assignment 1 Upward Bound Airlines Caselet
Profile
• International airline, founded in 1980, serving 31 cities; 16 in the US, two in
Canada, two in Mexico and 11 in Europe.
• International headquarters in Chicago, Illinois, USA; with a small office at each
airport and five regional offices
• Has approximately 9,000 employees and a few hundred long-term contractors
Company Profile – Upward Bound Airlines
2
• Financed, for the most part, by investment banks, it has grown from a small, �hometown� airline into a profitable international carrier. The �secret sauce� for Upward Bound is efficiency of operations.
• All airplanes are the same basic model and version, and this airline has spare parts for airplanes at every airport out of which it operates. These two key factors have led to the lowest time per repair in the industry.
• Additionally, ground operations, including maintenance, baggage handling, fueling, etc., are extremely efficient, leading to, amongst other things, the best on-time record in the industry.
• At the same time, though, Upward Bound has been squeezed by the high cost of aviation fuel and, unfortunately, the standard model of airplane that this company uses is not particularly fuel efficient.
Background Information – What We Do
3
What we do
Org. Structure
Departments
Industry
Marketing
Financials
• The jet fleet is aging—the average age of an Upward Bound airplane is 12 years—and the vice president (VP) of ground and flight operations is pushing the idea of buying a new jet fleet.
• Doing so will drain the company of its cash reserves, but the high cost of aviation fuel combined with the age of the jet fleet make starting to replace jets soon inevitable. Upward Bound is bracing for the anticipated cash crunch by putting austere cost- saving measures in place:
• Reducing the workforce—up to 20 percent of employees will be terminated by the end of the year
• Outsourcing most IT operations by moving to cloud computing services
Background Information – What We Do
4
What we do
Org. Structure
Departments
Industry
Marketing
Financials
• Publicly owned company
• Last year the gross revenue was US $296 million and profit was US $19 million
• Debt amounts to US $110 million
Background Information – Financials
5
What we do
Org. Structure
Departments
Industry
Marketing
Financials
Background Information – Org. Structure
6
What we do
Org. Structure
Departments
Industry
Marketing
Financials
CEO
Business Operations
Ground & Flight Operations
CIO
CFO
COO
CISO
External Relations
Administration
VP, Marketing
VP, Accounting VP, Finance
VP, Infrastructure VP, Application Development
Security Analyst
Public Relations Manager
VP, Human Resources VP, Legal Compliance Officer
The board of directors: • Consists of highly qualified professionals made up of CEOs
and chief operations officers (COOs) of prominent
corporations within the transportation industry
• Has one member who was the former US Secretary of Transportation
• Is very active and meets at least every month
• Sometimes has additional meetings to cover urgent issues (budget issues, in particular) that cannot wait until the next
board meeting
Background Information – Org. Structure
7
What we do
Org. Structure
Departments
Industry
Marketing
Financials
The CEO: • Is Sara Robbins, for the past seven years
• Is, above all else, a true visionary
• Has initiated many of the operational improvements
• Is a reasonable person who will take calculated risks to fatten the bottom line
Background Information – Org. Structure
8
What we do
Org. Structure
Departments
Industry
Marketing
Financials
• The company consists of departments which are assigned one or more major functions. For example, some of the departments are: • Business operations • Ground and flight operations • External relations (public relations [PR]/customer
relations) • Administration (legal, human resources [HR], regulatory
compliance) • IT reports to the chief information officer (CIO) and has a
staff of 120 employees who, for the most part, are technical. Most of this staff will be gone by the end of the year due to the move to cloud services.
Background Information – Departments
9
What we do
Org. Structure
Departments
Industry
Marketing
Financials
• Competition for passengers and freight shipping within the airline industry is tough.
• Upward Bound Airlines competes well by passing on the savings from its efficient operations to customers, thereby offering attractive prices on most tickets.
• The airline�s marketing efforts are average; it could be more competitive if it increased its marketing efforts.
• With the coming cash crunch, though, the company cannot afford to invest more money in marketing at this time.
Background Information – Industry
10
What we do
Org. Structure
Departments
Industry
Marketing
Financials
• Upward Bound Airlines relies heavily on marketing to boost its sales.
• Its marketing budget is one of the biggest line items.
• Its marketing staff consists of many marketing-savvy individuals.
• The main message that the marketing organization tries to get across is the airline�s efficiency and reliability and the advantages these hallmarks of the airline offer to busy passengers.
Background Information – Marketing
11
What we do
Org. Structure
Departments
Industry
Marketing
Financials
• The cash crunch that Upward Bound Airlines will almost certainly experience in the near future will cause repercussions in the company�s information security practice.
• The CEO has told you to expect to lose at least one of your team members by the end of the year, but this is only a minor problem compared to the advent of cloud services.
• You have been informed that much of the IT infrastructure will be scrapped in favor of cloud services. For example, all mail servers are going to be taken out of service, their hard drives will be erased and they will all be sold on eBay® by the end of the year.
The Problems
12
© 2013 ISACA. All rights reserved.
• Google will provide all mail services instead.
• The same is true of business applications— software as a service (SaaS) provider Zoho will provide all business applications.
• All corporate web servers will be hosted by Amazon.
The Problems
13
© 2013 ISACA. All rights reserved.
Exhibits – Network Architecture
14
© 2013 ISACA. All rights reserved.
You have to re-configure the information security approach that you and your staff developed less than one year ago to make it appropriate for the massive changes in the IT infrastructure that are about to occur.
The existing security architecture contains the following elements: •Policy and security standards that cover all major types of computing and network technologies •Screening routers, stateful firewalls and a virus wall at each exterior gateway •Spam filter and antivirus software on each mail server •Network-based intrusion detection in each of Upward Bound�s six networks and sensors distributed within each network •Endpoint security (antivirus plus antispyware plus personal firewall) on each Windows ® workstation
The Problems
15
© 2013 ISACA. All rights reserved.
• Application firewalls in front of each web server farm • VPN connectivity from the outside to each of the six Upward Bound networks via
a VPN server • A central log aggregation server in each network • Encryption of all connections to and from each business critical server • Tripwire® (a file and directory integrity checking tool) on each business critical
server • A hot site at which critical business operations can be up and running within three
hours
The Problems
16
© 2013 ISACA. All rights reserved.
• The decisions concerning revised information security approach will be made by you and your team members, one of whom is the security architect.
• The change control board led by the CIO must approve any proposed changes before they go into effect.
The Problems
17
© 2013 ISACA. All rights reserved.
• Are a seasoned veteran
• Have been in some kind of information security management position for nearly 20 years, with the majority of the time in a CISO position
• Were grandfathered as a Certified Information Security Manager® (CISM®) in 2002 and hold a bachelor�s degree in IT and a master�s degree in business administration (MBA)
Your Role
18
© 2013 ISACA. All rights reserved.
• You are the chief information security officer (CISO) of the airline and are based at the Chicago headquarters. You report to the chief executive officer (CEO) and attend the weekly senior management meeting. You have been with the company for slightly more than 10 years.
• The Information Security Department has four full-time information security staff members, all of whom report directly to you and are based at the Chicago headquarters.
• Two groups that have offered a baseline of definitions (for cloud computing) are the National Institute of Standards and Technology (NIST) and the Cloud Security Alliance.
• They both define cloud computing as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
• Another way to describe services offered in the cloud is to liken them to that of a utility. Just as enterprises pay for the electricity, gas and water they use, they now have the option of paying for IT services on a consumption basis.
Notes
19
© 2013 ISACA. All rights reserved.
Three major types of cloud services currently exist: • Software as a service (SaaS)
• Capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email).
•Infrastructure as a service (IaaS) • Capability to provision processing, storage, networks and other fundamental computing resources, offering the customer the ability to deploy and run arbitrary software, which can include operating systems and applications. IaaS puts these IT operations into the hands of a third party.
• Platform as a service (PaaS) •Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider.
Notes
20
© 2013 ISACA. All rights reserved.
• In the Upward Bound Airlines scenario, in moving its IT operations to the cloud, this company is, in effect, outsourcing these operations (including web-hosting services) using one or more IaaS providers.
• From a security risk management perspective, this means that many of the mainstay network security controls that Upward Bound�s information security practice has used for years are no longer likely to be relevant.
• No longer will relevant controls need to be phased out over time; new, cloud-based controls need to be phased into a revised security architecture.
Notes
21
© 2013 ISACA. All rights reserved.
• For instance, as Upward Bound moves to the cloud, externally originated attacks against hosts within Upward Bound�s networks are not likely to comprise as great a level of risk as before.
• Externally originated attacks against Upward Bound applications, databases and web servers in the cloud will, in contrast, comprise major risk. Mitigating this risk will be more difficult because Upward Bound cannot directly control what happens in the cloud.
• If Upward Bound management is wise, security controls should be included in its statement of work (SOW) or service level agreement (SLA) with the cloud provider.
• Note that Upward Bound has a very strong operations orientation. Any risks and related control measures that can potentially disrupt operations are, thus, an especially important consideration.
Notes
22
© 2013 ISACA. All rights reserved.