IT Risk Management

profiledananjayad2@
ITC596-A3Sample4.pdf

0

ASSESSMENT ITEM: 3

SUBJECT: ITC-596 IT RISK MANAGEMENT

LECTURER:

STUDENT NAME:

STUDENT ID:

1

Gigantic Corporation

IT Risk Assessment Report

Cyber Security Project

2

Executive Summary

This report is presented to the management of the Gigantic Corporation by the ‘IT Risk Assessment Lead Consultant – Cyber security’. This report translates potential technical risks in business language for facilitating effective decision-making. This report has the purpose of assessing the cyber security of a major technology project of the Gigantic Corporation. The technology project is an ‘up-grade project’ for the current legacy system of the organization. This report covers in its scope, external and internal interfaces, and data, policies and standards, ‘network, host, database and application levels’ including the third party systems that can pose cyber risks for the organization. It identifies threats and vulnerabilities along with the impact and also presents risk mitigation recommendations as per industry standards. A high level ‘Risk Management Overview’ is provided along with the Assessment Approach, risk model, ‘Key Threat Agents’ and existing industry risk recommendations. An impact and probability based model is used to classify the risks into the categories of Critical, High, Moderate or Ignore and accordingly the recommendations are suggested. Lastly, the report produces findings-based recommendations and a summary for the website as well as overall cyber security of the organization. The recommendations include:

1. Updating to the latest versions of software

2. Keeping applications up to date as per guidelines

3. Switching to https with site-wide SSL (Secure Sockets Layer) or TLS (Transport Layer Security)

4. Enabling IPS (intrusion prevention systems)

5. Protecting website using the .htaccess file

6. Using a vulnerability scanner

7. Backing-up data regularly (Cyber insurance)

8. Enabling application firewall

9. Enabling network firewall

10. Strengthening Policies, standards and procedures for ensuring cyber security

11. Strict enforcement of information security guidelines and policies

12. Conducting Information and Privacy security training for employees as well as vendors

3

13. Installing CCTV cameras, ID card, or access based entry to physical premises as per authorization for the location

14. Strengthening controls at each and every site containing PII (Personally Identifiable Information) (Singer & Friedman, 2015)

15. Data Loss Prevention (DLP) measures

16. Intrusion Prevention / Detection (IPS / IDS)

17. Network Access Controls requires to be strengthened as per needs

18. Customer PII data to be properly separated from corporate data

19. Regular audit review of cyber security maintenance by external vendor or third party business partners

20. Securing international standards and Certifications for security.

21. Effective Incident Response Program (IRP)

22. Using latest anti-virus, anti-malware, and application software versions

23. Firewalls, filters at server for detecting risky /spam emails, messages, risky websites

24. Effective DRP (Disaster Recovery Process) and succession mechanisms

The summary at the report end presents the importance of implementation of information security mechanisms. It finds the mitigation plan and preventive measures as an insurance against the risks on business that can result due to loss/theft of information/ data of the organization. The consequences of an ineffective risk management are found to be a loss of finances for the business, customers, business partners as well as loss of trust and a bad image for the organization. The merits of the technology project as per risk assessment findings are as below:

- The upgrades to existing systems will result in latest versions of software which are assumed to be more technologically advanced and safe (from the hackers)(Whitman & Mattord, 2017).

- The implementation of cyber security measures in the project will enhance existing information security for the organization.

- Formulation of improved policies and guidelines in pursuance of the ‘upgrade project’ and strict enforcement as per recommendation will mitigate risks due to internal threats to a great extent.

- Improvements in security measure will result in the development of customer trust and therefore betterment of business and achievements of its objectives (Whitman & Mattord, 2017).

The report concludes that with the thoughtful research and analysis done in the preparation of this report and the industry recommendations, consulted, it is expected to yield best results for the organization when implemented.

4

Table of Contents Executive Summary ................................................................................................... 2

Introduction ................................................................................................................ 5

1.1. Purpose ............................................................................................................ 5

1.2. Assessment Scope .......................................................................................... 5

2. Risk Management Overview .................................................................................. 6

3. Risk Assessment Approach ................................................................................... 6

3.1. Techniques Used ............................................................................................. 7

3.1.1. Risk assessment questionnaire ................................................................. 7

3.1.2. Assessment Tools ..................................................................................... 7

3.1.3. Threat and Vulnerability sources ............................................................... 7

3.1.4. Transaction walkthrough ........................................................................... 8

3.1.5. Review of documentation .......................................................................... 8

3.1.6. Interviews .................................................................................................. 8

3.1.7. Site visit ..................................................................................................... 8

3.2. Risk Model ....................................................................................................... 8

4. Assessment Findings - Threats, vulnerabilities and consequences ....................... 9

4.1 Technology components ................................................................................... 9

4.2 Physical Locations ............................................................................................ 9

4.3. Flow Diagram ................................................................................................... 9

4.4. Vulnerability Statement .................................................................................. 10

4.5. Threat Agents ................................................................................................ 11

5. Existing industry risk recommendations for the project ........................................ 12

6. Findings based Recommendations ...................................................................... 13

7. Summary of protection mechanisms to be employed ........................................... 14

Conclusion ............................................................................................................... 16

References ............................................................................................................... 17

5

Introduction

In the capacity of an ‘IT Risk Assessment Lead Consultant – Cyber security’ for Gigantic Corporation, this report is being presented with a detailed analysis. With the role of an interface between the business stakeholders and the technologists, this report is presented to serve the purpose through translation of potential technical difficulties in the risk language for facilitating effective decision-making.

1.1. Purpose

This risk assessment report has the purpose of assessing the cyber security of the major project of Gigantic Corporation. This report will present a full IT assessment of the project to the management of Gigantic Corporation. The threats and vulnerabilities will be identified along with the impact and the resultant risk assessment will be utilized for determining risk mitigation plan with industry standards.

1.2. Assessment Scope

The scope of this risk assessment covers several components which come under cyber security of the project. The external interface is the first component which is a series of web pages allowing users inputting data and receiving information through the application. The mobile applications form the second external interface to be considered in scope, besides the internal applications and systems which are detailed further. The scope also includes uncovering potential risks and vulnerabilities of complete data (for its confidentiality, availability, and integrity) in the Gigantic Corporation including the systems creating, receiving, maintaining, or transmitting the data (Baltzn, 2013). Internal data, Policies and standards, related to data security at – ‘network, host, database, and application levels’ will also be part of the scope (Levine, 2015). All organizational existing systems and applications, and the ones that are already proposed to be employed in the organization, which gets impacted with cybersecurity, are covered in the scope, including the third party systems that can pose cyber risks for the organization. The report covers a high level ‘Risk Management Overview’, the Assessment Approach and the findings covering the threats, vulnerabilities, and consequences of the same. ‘Key Threat Agents’ are discussed along with existing industry risk recommendations for the scenarios derived from the project (Schwalbe, 2016). Findings-based recommendations for mitigating the risks and their impacts are subsequently discussed with a final summary of cyber security protection mechanisms that need to be employed in Gigantic Corporation.

6

2. Risk Management Overview

Risk Management covers anticipation of risks and preparation of aplan to prevent risks and resolve them if they occur. It helps in saving time, money, efforts, and reducing the stress that can be prevented. The risk management validates that the protective measures are appropriate for protecting organization’s information assets and are aptly implemented, and operational (Hoyt & Liebenberg, 2011). The overview of risk management is as follows.

Fig. 1 Prepared for project, adapted fromSnyder (2014)

3. Risk Assessment Approach

The approach to risk management involves organization-wide risk management

covering holistic and fully integrated to business (Haimes, 2015). The three‐tiered approach to addressing risks is: Tier 1 - Strategic Risks: Risks from an organizational perspective involving governance structure and organizational strategy. Tier 2 - Operational Risks: Risks from the business mission and business process perspective, guided by risk decisions at Tier 1. Tier 3 -Tactical Risk: Risks from an information system perspective guided by risk decisions at both the above Tier and determine ultimate selection/ deployment of counter measures (Haimes, 2015).

7

Fig. 2 Prepared for project, adapted from(Haimes, 2015)

3.1. Techniques Used

3.1.1. Risk assessment questionnaire

Customized self-assessment questionnaire for ‘Information Technology Systems’ was used for identifying risks.

3.1.2. Assessment Tools

Security testing tools for reviewing system configurations and identifying vulnerabilities in the applications were used as and when required (Rausand, 2013).

3.1.3. Threat and Vulnerability sources

Assessment of several vulnerability and threat sources identification was done as follows:

Fig. 3 Prepared for project, adapted from(Rausand, 2013)

8

3.1.4. Transaction walkthrough

At least one transaction or ‘use case’ of each type was selected for the assessment. All of them were processed for gaining an understanding of the included data flows and the control points (Rausand, 2013).

3.1.5. Review of documentation

Security policies in-force, existing operational manuals, system documentation and network diagrams were reviewed under assessment.

3.1.6. Interviews

The Interviews were conducted with responsibility for systems usage, upkeep, and security to validate information.

3.1.7. Site visit

Site visit at the IT Department and the Data Centre was done and physical accesses and environmental controls were reviewed (Rausand, 2013).

3.2. Risk Model

The risk model used for Gigantic Corporation’s cyber security risk classification is as follows: Risk = Likelihood (probability) x Magnitude of Impact (Olson & Wu, 2017). Likelihood / Probability – Risk, is an event that "may" occur, the likelihood is of its occurrence can be in the range of 0.1% to 99.99%. The magnitude of Impact – The Possible negative impact is expected from a risk. Magnitude of impact varies in terms of costs and impact on business (Olson & Wu, 2017).The chart as per Fig. 4can be used for rating potential risks.

Fig. 4 Prepared for project, adapted from (Olson & Wu, 2017)

9

4. Assessment Findings - Threats, vulnerabilities and consequences

4.1 Technology components

 The technology components under cyber security impact are:

 IT Applications

 Databases-Server, System, Software, client information and knowledge management databases)

 Networks –Checkpoints, Firewalls, Routers

 Interconnections / Interfaces to client web browser and other third-party vendors.

(Papp et al., 2015)

4.2 Physical Locations

 IT Department,

 Data Centre, and

 Help Desk (Papp et al., 2015).

4.3. Flow Diagram

The following diagram shows the in-scope technology components reviewed as part of risk assessment.

Fig. 5 Prepared for project, adapted from Berger et al., (2016)

10

The risks are as in Fig. 6. Online Activities Common Threats Scams and Frauds

Fig. 6 Source- (Government of Canada, 2017)

4.4. Vulnerability Statement

The vulnerability is a flaw or weakness in the system that opens the risk of the attacks(Singer & Friedman, 2015). Some of the common Software/ Product Security Weaknesses are in: - Input Validation - Access Controls, Permissions, Privileges - Improper Authentication - Poor Code Quality - Insufficient Verification of Data Authenticity - Improper Credentials Management - Cryptographic Issues - Software Security Configuration and Maintenance (US Homeland Security, 2011). Some of the common Configuration Weaknesses are in: - Access Controls, Permissions, Privileges - Improper Authentication - Credentials Management - Planning/Policy/Procedures - Security Configuration and Maintenance - Audit and Accountability Maintenance (US Homeland Security, 2011).

11

Some of the common Network Security Weaknesses are: - Common Network Design Weaknesses - Network Component Configuration (Implementation) Vulnerabilities - Weak Firewall Rules - Audit and Accountability (US Homeland Security, 2011). Potential vulnerability areas identified are:

 Organisational Processes and procedures Policies, standards, and procedures for ensuring cyber security to be further strengthened

 Management routines Effective Incident Response Program (IRP) to be initiated (Singer & Friedman, 2015).

 Personnel Conduct Information and Privacy security training as per job role.

 Physical environment Physical and logical security controls at each and every site containing PII (Personally Identifiable Information) data to be strengthened (Singer & Friedman, 2015).

 Information system configuration  Data Loss Prevention (DLP) measures,  Intrusion Prevention/Detection (IPS/IDS),  Network Access Controls requires to be strengthened as per needs,

and  Customer PII (Personally Identifiable Information) data to be properly

separated from corporate data (Singer & Friedman, 2015).

 Hardware, software or communications equipment Audit review to be more frequent regarding security breach possibility detection

 Dependence on external parties

 WPA2 Handshake Vulnerabilities These are the reinstallation attack (or Krack) vulnerabilities allowing malicious actors to read encrypted network traffic on ‘Wi-Fi Protected Access II’ (WPA2) router and then sending traffic back to the network (Government of Canada, 2017).

4.5. Threat Agents

Threat source or the threat agents are the entities having an intention as well as the capability to cause adverse impacts (Smith, 2016). The process involves:

 Determining Assets that can have threats (Ex. Confidential information, operations goodwill and reputation of the organization)

 Identifying threat sources

 Determining when and how often the threats get realised.

 Understanding the nature of threat resourceful attackers or amateurs (Smith, 2016).

12

The common threat agents are:

 Hackers/ Cybercriminals

 Insiders (poorly trained, disgruntled, malicious, negligent, dishonest, or terminated employees)

 Viruses

 Loopholes in the security systems, applications

 Malware (infiltrating or damaging computers / applications)

 Environment (Ex. Natural disaster)

 Pharming (online fraud)(Government of Canada, 2017).

 Phishing or Spoofing (Fake emails, text messages, or even websites made to look authentic and made by criminals for stealing personal/ financial information)

 Ransom ware (restricts access to systems or files, displays a message about payment in demands for removing restrictions).

 Other methods of data thefts (Government of Canada, 2017). Based on the above, assumptive ‘Key Threat Agents’ identified for Gigantic Corporation are:

 Hackers / Cybercriminals

 Insiders (employees)

 Viruses

 Loopholes in the security systems, applications.

5. Existing industry risk recommendations for the project

‘Prevention, well-being, and response’ are the main steps to security. Regular backups, and patch applications; using complex passwords and using two-step authentication, and limiting access to accounts and sensitive information are the industry recommendations (McLean, 2018). Communicating safe practices to employees such as browsing safe sites and installation of only trusted applications is another industry recommendation. Restoring backups in advance can also be considered as cyber insurance (McLean, 2018). Besides these, other measures include:

 Security Governance - Appointing leadership for plan execution

 Identification of Risk Management framework

 Identification of Cyber assets into restricted, confidential and PII – Personally Identifiable Information) and the perimeter protecting these assets.

 Regularly conducting risk and vulnerability assessment (in three categories – Technology, Process, and Policy & People)

 Preparing Plans for Mitigating risks and impacts, control and effectiveness, including logs and monitoring, incident handling, contingency planning and with prioritization (Lebanidze, 2011).

 Improvement of policies, their enforcement, cybersecurity related training and awareness, addressing network risks, platform risks and application layer risks (Lebanidze, 2011).

13

6. Findings based Recommendations

For mitigating the risks and their impact on the system findings based recommendations are provided below. Item No.

Findings / Concern areas

Likelih ood

Impact on business

Risk Rating

Recommendations

1 Loopholes in Organisational Processes and procedures

Low High High Policies, standards and procedures for ensuring cyber security to be further strengthened

2 Internal Risks from Personnel

High (Cook, 2018)

High Critical  Strict information security guidelines and policies

 Conduction of Information and Privacy security training as per job role to be initiated

3 Physical environment

High (Cook, 2018)

High Critical Install CCTV cameras, id card or access based entry to physical premises as per authorization for the location

4 Physical and logical security

High (Cook, 2018)

High Critical Strengthen controls at each and every site containing PII (Personally Identifiable Information) (Singer & Friedman, 2015)

5 Inadequate Information system configuration

Low High High Adoption of:

 Data Loss Prevention (DLP) measures,

 Intrusion Prevention / Detection (IPS / IDS),

 Network Access Controls requires to be strengthened as per needs, and

 Customer PII data to be properly separated from corporate data

6 Hardware, software or communication s equipment

Low Low Can ignore

Audit review to be more frequent regarding security breach possibility detection

7 Dependence on external parties

Low High High Ensure Policy for cyber security maintenance by external vendor or third party business partners

8 WPA2 Handshake Vulnerabilities

Low High High Ensure adequate firewalls for all data transmissions

9 Insufficient Low High High Effective Incident Response

14

Management routines

Program (IRP) to be initiated (Singer & Friedman, 2015)

10 Loopholes in the security systems / applications

Low High High Allot a team to check and follow audit process regularly for detection of such loopholes, take market feedback

11 Viruses Low High High Adopt the latest antivirus always, regularly update

12 Malware / Ransomware

Low High High Adopt latest malware protection always, regularly update

13 Phishing or Spoofing

Low High High Adopt firewalls, filters server for checking risky /spam emails, messages, risky websites

14 Unintentional / Unprecedented incidents

Low High High Establish Disaster Recovery and contingency and succession mechanisms

7. Summary of protection mechanisms to be employed

For the protection of website, it is advisable:

1. Updating to the latest versions of software

Cybercriminals possessing web monitoring tools generally look for companies with legacy software and using old apps as these are vulnerable. Latest version updates can instantly remove the vulnerabilities and therefore possible exploitation by the hackers (Singer et al., 2015).

2. Keeping applications up to date as per guidelines

Remain signed up for email updates from the application supplier, keep current.

3. Switching to https with site-wide SSL (Secure Sockets Layer) or TLS(Transport Layer Security)

This will securely encrypt the links between the server and client, thereby preventing theft of Personal data, credit card details, passwords etc. during transmission. The TLS splits encrypted data between two servers, thereby, decreasing data to only a part even if it is intercepted and unencrypted (Singer et al., 2015).

15

4. Enabling IPS (intrusion prevention systems)

These are supplied by many IT organizations and offer robust protection for many applications (Singer et al., 2015).

5. Protecting website using the .htaccess file

With few lines of instructions, the website can be safeguarded from attacks by making changes to the.htaccess file, which can block unauthorised access to the database and admin area. It, therefore, prevents directory browsing and file access (Singer et al., 2015).

6. Using a vulnerability scanner

Such apps scan for software holes, malware, or other intrusions on the website (Singer et al., 2015).

7. Backing-up data regularly (Cyber insurance)

Loss of website and data can cause huge business losses if not recovered quickly. Backing-up regularly is prevention in this regard. The frequencyof website or database update can be used to determine the frequency of website back up. Online transactions frequency is another criterion to determine the frequency of back-up (Singer et al., 2015).

8. Enabling application firewall

For protecting against ‘cross-site scripting’ and ‘SQL injection attacks’ a securely configured application firewall is important for ensuring a predefined rule set(to block malicious HTTP requests not conforming to the rules) (Singer et al., 2015).

9. Enabling network firewall

For protecting the website from sophisticated cyber-attacks, below are important: - Identification and control of network applications - Protection of website from advanced threats - Filtering unwanted traffic through web and content policy - Improving control of wireless networks (Singer et al., 2015) - Running IPS-scans for actively monitoring and preventing signature and

behaviour threats - Preventing data loss by monitor of behaviour that might result in data loss - Protecting against malware in real-time (Singer et al., 2015).

The other main recommendations, as detailed earlier, are: - Strengthening Policies, standards and procedures for ensuring cybersecurity

- Strict enforcement of information security guidelines and policies (Whitman &

Mattord, 2017)

16

- Conducting Information and Privacy security training for employees as well as vendors (Whitman & Mattord, 2017)

- Installing CCTV cameras, id card or access based entry to physical premises

as per authorization for the location

- Strengthening controls at each and every site containing PII (Personally Identifiable Information) (Singer & Friedman, 2015)

 Data Loss Prevention (DLP) measures,

 Intrusion Prevention / Detection (IPS / IDS),

 Network Access Controls requires to be strengthened as per needs, and

 Customer PII data to be properly separated from corporate data

- Regular audit review of cyber security maintenance by external vendor or third party business partners

- Securing standards and Certifications for security such as Payment Card

Industry Data Security Standard (PCI DSS), NIST, SSAE18/SOC2, and ISO.

- Effective Incident Response Program (IRP)

- Using latest anti-virus, anti-malware, and application software versions

- Firewalls, filters at server for detecting risky /spam emails, messages, risky websites

- Effective DRP (Disaster Recovery Process) and succession mechanisms

As per Rejda (2011) the best possible security mechanisms adoption provides an insurance against the risks on business which can occur on account of loss/theft of information/ data of the organization. The consequences of inept risk management are a loss of finances for the business, customers, as well as business partners. It can also tarnish the image of the organization as well as cause loss of trust in the market.

Conclusion

The summary provided above is based on the cybersecurity risk assessment for the project at Gigantic Corporation. It is completed with a thoughtful research and analysis and is based on industry recommendations. Hence it is expected to yield best results for the organization.

17

References

Baltzn, P. (2013). Business Driven Information Systems (4th ed.). McGraw-Hill Education. Berger, B. J., Sohr, K., & Koschke, R. (2016, April). Automatically extracting threats from extended data flow diagrams. In International Symposium on Engineering Secure Software and Systems (pp. 56-71). Springer, Cham. Cook, A. O. (2018, 01 02). Why Your Employees Might Be The Biggest Threat To Your Growing Business (And What To Do About It). Retrieved 01 11, 2018, from Forbes: https://www.forbes.com/sites/forbesagencycouncil/2018/01/02/why-your- employees-might-be-the-biggest-threat-to-your-growing-business-and-what-to-do- about-it/#328c90646748 Government of Canada. (2017, 10 20). Common threats to be aware of. Retrieved 01 11, 2018, from Get Cyber Safe: https://www.getcybersafe.gc.ca/cnt/rsks/cmmn- thrts-en.aspx Haimes, Y. Y. (2015). Risk modeling, assessment, and management. John Wiley & Sons. Hoyt, R.E. and Liebenberg, A.P., (2011). The value of enterprise risk management. Journal of risk and insurance, 78(4), pp.795-822. McLean, A. (2018, 01 08). Serenity Now: Australian government releases small business cyber security guide. Retrieved 01 11, 2018, from zdnet.com: http://www.zdnet.com/article/australian-government-releases-small-business- cybersecurity-guide/ Olson, D. L., & Wu, D. D. (2017). Data Mining Models and Enterprise Risk Management. In Enterprise Risk Management Models (pp. 119-132). Springer, Berlin, Heidelberg. Papp, D., Ma, Z., & Buttyan, L. (2015, July). Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In Privacy, Security and Trust (PST), 2015 13th Annual Conference on (pp. 145-152). IEEE. Pem Smith CMA, C. F. M. (2016). Cyber security: watch out for data leaks!. Strategic Finance, 97(7), 62. Rausand, M. (2013). Risk assessment: theory, methods, and applications (Vol. 115). John Wiley & Sons. Rejda, G.E., 2011. Principles of risk management and insurance. Pearson Education India. Schwalbe, K. (2016). Information Technology Project Management (8 ed.). Cengage Learning.

18

Singer, P. W., & Friedman, A. (2015). Cyber security and cyberwar: what everyone needs to know. Strategic Studies, 9(1), 141-143. Snyder, C.S., (2014). A guide to the project management body of knowledge: PMBOK (®) guide.Project Management Institute: Newtown Square, PA, USA. US Homeland Security. (2011, 05). Common Cyber security Vulnerabilities in Industrial Control Systems. Retrieved 01 11, 2018, from US Homeland Security: https://ics-cert.us- cert.gov/sites/default/files/recommended_practices/DHS_Common_Cybersecurity_V ulnerabilities_ICS_2010.pdf Whitman, M. E., & Mattord, H. J. (2017). Principles of Information Security. Boston: Cengage Learning.