Project assignment :
nagiri
GroupProject11.pptxGroup Project
Risks
Threats
Weaknesses
Countermeasures
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
South Texas University – Case Study
Background: A gulf-coast University is located at the tip of a peninsula, surrounded on three sides by water. The area is periodically threatened by hurricanes and high wind are the major concern. Severe hurricanes can cause flooding to the University grounds.
The University has 10 major buildings that support Administration, classrooms, student center, library, and athletics.
Electricity is provided to all building but there are no UPS systems in place should power be lost
Sprinkler systems provide fire protection
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
South Texas University – Case Study
The University conducted an independent audit of its IT Network and Enterprise systems and put controls into place to protect its Information Technology infrastructure and minimize risks to its data center operations. These include the University’s Web Servers, Email Servers, Enterprise Systems and other Administrative systems that are maintained by the University’s IT department managed by the CIO. Information Technology maintains the campus Wireless and LAN/WAN infrastructure and all telecommunication rooms are under key control locks. The Data Center and some telecommunication rooms are located on the 1st floor of their respective buildings.
All systems and infrastructure are under a Risk Management Plan and are considered protected however periodic InfoSec audits (to include penetration testing, asset management scans, and InfoSec policy/procedure compliance reviews) are not conducted.
The new Cyber Security Analyst / InfoSec Manager has now been charged to conduct a walk-thru of the campus to identify other automated systems that may be at risk.
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
University Data Center
Is housed on the 1st floor of a classroom building
The exterior walls do not have windows but the interior walls have windows that face the building’s hallway
Electricity feeds the entire building and an overload of circuits in the building may lead to a power outage
There are no UPS systems to maintain power during an electrical outage
The A/C system feeds the entire building and may not be sufficient to keep the building adequately cooled
During summer fans are used to cool the equipment
The entryway to the computer room has a Break Room
a Coffee Pot and Microwave are located in the Break Room
Access to the Computer room uses Key Cards issued to authorized personnel only
The Computer Room has raised floors
A sprinkler system runs across ceiling but the sprinklers are capped (water still fills the pipes)
There is No Fire Suppression system
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
4
Other University Systems
Enrollment Management is housed in an old 2-story library
Electricity is provided to the entire building but may not be stable
No UPS systems exist
Sprinkler systems provide fire protection.
Administrators are issued laptops for home use but inventory control and access control policies are not followed
Laptops often contain sensitive and protected data
1st Floor:
Front counter clerks assist students who stand in line waiting for help
Computers are sometimes left logged-in even when unmanned
Students sometime crowd around the counters and hear confidential information provided to the clerks by other students
Cubicles are used by specialists to process student records
Cubicles cannot be locked
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5
Other University Systems
Enrollment Management (continued)
Cubicles (continued)
Students can wander into these areas when staff are not present
Login Passwords are sometimes taped to the computers
Student records are sometimes left out on the counters
Some Student Record’s cabinets cannot be locked
Employees sometimes download music and pictures to their computers from the internet and external devices
Computer may not have the latest software patches
Back Offices are used by specialized staff and managers
Offices are not locked and have windows
Records vault contains all physical records and is locked after hours
Office is located on the 1st floor
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
6
Other University Systems
Enrollment Management (continued)
2nd Floor:
Application Server is kept in office that is rarely locked and has windows
Servers support internal systems and have no access to the Internet
System Administrators work for Enrollment Management
SysAdmins are not subject to IT Risk Management policies
SysAdmins have little to no security awareness training
System may not contain latest patches
Report Server
Data extracts from Report server includes National ID
Users include Administrative staff but can include student workers
Users can download data to USB drives
System may not contain latest patches
User’s access is not terminated when duties change
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7
Other University Systems
The University has 5 colleges located in separate buildings
Each College maintain its own server(s) (and internal LANs) to track programs, research and other initiatives.
Colleges use existing staff and student workers to manage their servers (typically computer science students)
SysAdmins are not subject to IT Risk Management policies
SysAdmins have no security awareness training
System may not contain latest patches
Servers are stored in offices and the doors are rarely locked and the rooms often have multiple windows
Servers may not be protected by a firewall and access the Internet
Each college maintains its own research systems and student databases which can be accessed externally
IT user authentication policies are not followed
SysAdmins may use generic Administrator passwords or post Administrator passwords at their computers
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
8
Seven Domains of a Typical IT Infrastructure
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9
Figure 4-1: The seven domains of a typical IT infrastructure.
User domain: Includes usernames, passwords or other authentication, and social engineering. The InfoSec Security Manager’s initial review of security discovered that there was no policy to update passwords on a regular basis and no requirement for strong passwords. Users posted passwords at their computers so that others could login and use the computer when they were away. Security awareness campaigns did not exist and few users knew there was a security policy or about social engineering.
Workstation Domain: Includes end user systems, laptops, desk tops, and cells phones. There was no automated controls in place to force logoff after inactivity and no inventory control or asset management system in place to know if laptops were onsite or offsite.
LAN Domain: Includes equipment required to create an internal LAN, such as hubs, switches, and media. Most hardware was protected in the Computer Center but communication’s closets throughout the organization were not well protected from environmental damages.
LAN-WAN Domain: Includes the transition area between the LAN and the WAN (routers and firewall). IT infrastructure was well protected but IT had no knowledge about systems outside their management.
WAN Domain: Includes routers and circuits connecting the wide area network. IT infrastructure was well protected but IT had no knowledge about web systems outside their management
System/Application Domain: Includes applications on the network (e-mail, database and Web apps). IT managed the administrative systems but had limited visibility of apps used throughout the institution.
Remote Access Domain: How remote users use your network (i.e. Virtual Private Network (VPN)). IT administrative systems were protected via VPN but since VPN was costly, there was concern that access to other systems was not protected.
Template
List all Risks-Threats-Weaknesses-Countermeasures and Domain Impacted as identified in the scenario:
Example:
Location:
Enrollment Management 2nd floor office
Risk:
Loss of university equipment
Loss of university data
Threat:
Server being stolen from Enrollment Management office
Weakness:
Office is left unlocked
etc.
Countermeasure:
Lock doors
Move server to IT Data Center
Domain Impacted:
Workstation
Page ‹#›
Managing Risk in Information Systems
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
