+1-817-968-5551
+61-488-839-671
+44-7480-542904About Expert
Requirement
Strategic Information Security Report
Solution
Abstract
The case study deals with an insurance company and its migration towards an enterprise-wide security system. Initially, the organization had a primitive online security system for controlling the access towards the corporate data. Severe exposures like absence of integrity controls outside of the accessible environment, any person with basic programming skills could change, add, and/or delete the production data. Therefore a new security program was implemented which is highly critical for continued organizational success. It is imperative for the organization to continue to evolve their systems to take advantages of upcoming opportunities. This paper explores the changes being taking place after the implementation of the security program, professional plan of training requirements, various ISO security standards required by the organization and initially the important information security certifications. We also examine the risk assessment including the identification of the key threats to the organization and what controls could be put in place to reduce the associated risks to an acceptable level.
Allassignmenthelp.com is the internet's best and fastest instant assignment help service. We have information technology assignment helpers who specialize in topics and provide the students with high-quality assignment writings. Our website allows you to Buy college term papers within your budget and get the best grades in academics.
Introduction
Information security and related concepts have always been in practice for several decades. The necessity of protection of the company information has been realized in the industries like government, manufacturing, finance, etc. and is a vital component in order to perform all the business functions. With the launching of a new system in an organization, the systems are evolved from time to time in order to take advantage of all the opportunities being provided by the system. The paper will discuss an Insurance Company and its migration to an enterprise-wide security system. In order to perform the migration, a close look was given to the current primitive online security system. Currently, BMP Limited conducted a risk assessment where enormous exposures were listed:
-
The organization lacks a centralized security department with no security policies, procedures or standards. The security of the organization is administered by a single person who works in the systems support department.
-
There is an in-house developed security system providing the authorization and authentication services for the accessible applications. The employees do not have any provision for changing their account IDs, or the passwords, and no facility are present to lock out the accounts in case of unsuccessful password attempts. Furthermore, the passwords and the account IDs are stored in the online security file in an unencrypted manner where any programmer can create an easy printout of the files. (Von Solms, B., 2001).
-
No facility which can help in discovering the sign-on failure attempts.
-
The organization does not have any protection for the objects which can be accessed outside the online applications. Anyone having a programming experience can write the program for accessing, deleting, updating the production data or for using utilities for the production data.
-
There have been instances where the production downtime occurred when the testing was performed by the developers, but the production data was modified accidentally. There is a need for restoring the data from the backup of the previous night. Resubmission of the transactions which were overlaid by the restored jobs.
-
The organization lacks a security manual or the documentation of the processes, procedures, guidelines and the standards.
The objective of the paper is to discuss the security information system issues in the selected organization, as they are one of the primary drivers of the industry. The paper then presents an overview the report provides the current situation of the organization and then a professional plan has been discussed in order to implement the changes that incorporate the training and the education requirements. Further, the report discusses a risk assessment including the key threats that can be identified for BPM limited and then the various controls that can be put in place for reduction of the associated risks to attain an acceptable level. For the reference purposes, the case study organization is an Insurance provider and has been employing 2,800 employees.
Discussion
A. Overall security program
The new security introduced a new mainframe, and a new operating system was generated. With the vendor personnel on-site, the security system was installed. The new security program has the following features:
1. Centralized Security:
In order to coordinate the new security aspects of the new security system must be considered. The new security managerial infrastructure includes
-
1. A management forum,
-
2. Provides a security coordination across the organization,
-
3. Includes the management processes in order to authorize the new information processing facilities,
-
4. Allocates the responsibilities to the specific parties
-
5. Develops the various sources for specialist information security advice
-
6. Encourages a right cooperation among the organizations including the independent reviews of information security. (Liebenau and Backhouse, 1990)
2. Mission
The security program includes the security standards, guidelines, procedures and is clearly documented. The information security directives have been published for the employee's awareness and the newly- implemented LAN also provides an intranet site. Further a mission statement has been published:
“To preserve the integrity, confidentiality and availability of information by minimizing the various potential for the unauthorized denial, addition, destruction, alteration, or disclose of data, regardless whether the act be reckless, negligent, intentional or accidental.
To facilitate a secure access and connectivity to ANY-5: anyone, anywhere, anyhow, and anytime to anything.”
3. User Accounts
The user of a platform are provided with their user ID and the password namely mainframe, UNIX, NT, etc. from their use. These user credentials can act as authentication mechanisms so as to get easy access to the applications and the platform.
-
1. Each and every employee is assigned an individual account unless the manager authorizes the system security.
-
2. The account access is given to the senior manager or senior supervisor of the individual in case of his separation from the assigned user account.
4. Event Logging
Some of the events are recorded so as to keep the records on track. The table provided below defines the conditions for the event recording:
Event Logging
Operator Activity - Recommended
Specific users - Only when applicable
Password violations - Required
Logon/Logoff Activity - Recommended
All failed attempts to access resources - Required
Special/Administrator Activity - Required
The events log out records are stored for a period of the 1-year minimum.
5. Unattended Workstations
In order to minimize the cases of unauthorized use of personal computers and terminals, the following terms have been recommended that the personnel must protect their input/display devices:
-
1. For personal computers: The password-enabled screensaver are activated manually.
-
2. For terminals devices: The terminals must be locked, and the key must be removed, in case it is equipped. And if it is not equipped with a lock, the system must be logged off.
-
3. For periods of inactivity, default time-out: 30 minutes for TSO, and 10 minutes for Windows/NT screen saver.
6. Encryption
The security program has a number of technologies for providing assurance for confidentiality and integrity of the information. These include but are not limited to the following: Encryption, S/MIME e-mail, Digital certificates, and Digital Signature.
The service requestor will be responsible for the coordination of all the requests related to the managers of the network services, systems security and systems services, for assuring the suitability of the protective measures are being employed. Hence, in the absence of the express written consent of the manager of systems security, no encryption mechanism is deployed. In the case of failure in implementation of the proper the encryption process, the unrecoverable loss to data can take place. (Dhillon, G., & Backhouse, J., 2000).
B. Professional plan of training requirements
The user are made aware of all the good computing practices and then educated regarding the computer security. This is one of the most important aspects as the users must be made regarding the environment they are working in along with the responsibilities of the environment. An effective awareness and training program is developed and has the following steps:
1. User Training Online Applications:
The users can sign on the main online menu and can start an online session and are prompted for the password and user ID. The user ID and the password are made to authenticate by this online system before the migration. Then the module is changed for using Resource Access Control Facility as the authentication mechanism. The user IDs are then used for populating the database:
-
1. 10,000 Agents
-
2. 2,800 Employee
-
3. 600 Services
-
4. 400 Temps
-
5. 80 Test
The proprietary file will harvest all the passwords and then will input it to the database with the option forcing the user to select the new password during the sign-on time. The employees will be communicated regarding the new password and the procedures of signing on before the migration to the system. (Davis, D. L., & Davis, D. F., 1990).
2. Programming Staff
The new mainframe can be signed on by testing the existing inventory of all the programs in order to ensure that all the functions are working properly. The new system will be problematic for the staff as the time-sharing environment of the new system program is very different from the older one- no passwords were required in that. The organization has over 10,080 programs for testing which is an intimidating task, but it does not come under the security responsibility. Hence, there is requirement for creation of a training document along with the hands-on training for the employees and staff (Mishra and Harris, 2006). The process must go no without many glitches.
3. War Room
Before the migration, a conference room must be outfitted with 15 personal computers and phones. The dumb terminals will be replaced with the PC's running a terminal emulation program communicating to the mainframe using the LAN. Whole set up will be served as a Help Desk during and after the process of implementation. Various volunteers can be recruited from the programming team for the staff of the war room. This personnel will get an intensive training regarding how to guide the callers using the password reset process. Furthermore, there is a need for implementing a tracking mechanism for documenting the issues and further to ensure that all the issues will be resolved.
C. ISO security standards
The organization has a primitive security system and therefore does not use any of the ISO security standards. However, the organization requires various ISO security standards once the new security program is implemented. The new security program will provide remote access to the networks of BMP Limited along with a supplemental security layer which is protected by the computer system. Secure access is provided to the personnel for accessing the network (Broderick, J. S., 2006). The following ISO security standards are best suited and recommended for the following security program:
1. ISO/IEC 27001:2013
This standard specifies the various requirements in the case of establishment, implementation, maintenance and improvement of the information security management system within the organization's context. This standard also includes the assessment and the treatment of the various associated information system risks tailored to the organizational needs.
2. ISO/IEC 27010:2015
This guideline is given along with the guidelines ISO/IEC 27000 family of standards so as to implement the information security management within information sharing communities. This standard will provide the appropriate control and guidance for relating everything to the initiation, implementation, maintenance and improvement in the information security in the inter-organizational as well as inter-sector communications (Cheng, J., Goto, Y., Morimoto, S., & Horie, D., 2008, April).
3. SO/IEC 20000-1:2011
This guideline can be used by the organization as it is seeking services from various services providers and further requires assurance that the services requirements are highly fulfilled. This standard will help the organization as it requires a consistent approach by its service providers and ascertains that the service providers are demonstrating their capability towards transition, designing, delivery and improvement of all the services fulfilling the services requirements. Thereby, the standard will be helpful in monitoring, measuring and reviewing the service management processes. Hence the improvement in design, transition, and delivery, as well as improvement of all the services, can take place in the security management system for effective implementation of the security program. (ISO/IEC 17799)
D. Information Security Certifications
1. Information Systems Security Engineering Professional (ISSEP/CISSP)
The Information Systems Security Engineering Professional (ISSEP) certification has been developed in conjunction with the U.S. National Security Agency (NSA). It covers the best practices and the integration of various security methodologies in various information systems like projects, applications, and even business practices. It can prove out to be an invaluable tool for various systems security engineering professional. This certification acts as a guide and incorporates the security factor in various business processes, applications, projects and all the other information systems. BMP Limited and its security professionals are hungry for the workable methodologies and other related best practices which can be used in integrating the security into varying facets of the business operations. The ISSEP certification is ideal for the Certified Information Systems Security Professionals working in BMP-like Security Consultant, Security Auditor, Security Systems Engineer, Security Analyst, Security Manager and related positions.
2. The Certified Information Security Manager (CISM)
The Certified Information Security Manager (CISM) is considered to one of the top certifications in the field of managing, developing as well as overseeing the information security systems in any enterprise. This will be beneficial in developing best organizational security practices which are highly recommended given the past of the organization with a primitive security system. This certification was introduced by the Information Systems Audit and Control Association (ISACA). The prime organizational goal of the Information Systems Audit and Control Association (ISACA) was to gear up the IT professional to raise to the highest level with respect to the control and security of the information systems. This certification will be highly beneficial owing to the fact that the CISM credential targets the IT security professionals and organizations needing the help with the enterprise-level security management responsibilities. Once the certification is provided, the credential holders possess advanced and proven skills in the field of security risk management, incident management and response, governance and program development and management, governance, and incident management and response.
E. Risk Assessment
There is a need to secure the information system as they are highly reliable. BPM Limited has been critically reliant on its information system for its key business processes like the production scheduling, websites, transaction processing, etc.. Therefore the security is one of the major areas for the management to get right (Pattinson M. and Anderson G., 2006),. Although the new security program is better than the primitive security system, it is still vulnerable to the following threats:
Threat #1 Exploited Vulnerabilities
The hackers have the ability to find a weakness in any of the security systems and then exploit it for their own use. BPM Limited being an Insurance provider high prone to the hacking cases and therefore there is a need for the IT professionals and the security managers to control the situation during the crisis so as to reduce the associated risk.
Resolution: Implementation of a Comprehensive Patch Management: The organization has some of its most sensitive data on the non-Microsoft systems such as UNIX, Linux, or Macintosh. In the case of investment in the patch management solution will help in offering towards a full visibility into the organization’s network and will cover up all the operating systems and the vendors including non-Microsoft. BPM Limited can install host-based intrusion prevention (HIPS) which can help in monitoring the system looking for user escalation, anomalous behavior, and other non-standard events.
Threat #2 Denial-of-Service Attack
The denial-of-service attack is seen to prevent the normal use of the systems and computer or network by the valid users. If the attack gains the access, he can perform the following activities:
-
1. The attention of the internal information systems staff gets randomize due to which they are not able to figure out the intrusion allowing the attack to make more attacks during the course of diversion.
-
2. Causing abnormal termination or the behavior of the services and applications due to sending invalid data to them.
-
3. The entire network will be flooded with the traffic until shutdown takes places due to overloading.
-
4. The traffic can be blocked, resulting in the access loss to the network resources by the authorized users. (Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P., 2004).
Resolution: The defensive responses towards the denial-of-service attacks is seen to involve the amalgamation of techniques like attack detection, classification of the traffic, response tools that are aimed at blocking the traffic which is illegitimate in manner and therefore allowing the traffic which is considered as legitimate.
Threat #3 Downloaded Software Including Open Source and P2P files
The IT administrators working in the organization might download and then install the open source freeware or software for saving money, which leads to waste of time in the configuration of the software and then fine tuning along with the data breach.
Resolution: The download and system update administration to the IT professional must be limited, and the users must not be allowed to download and install any software on their own in their respective desktops. The system AV along with the Spyware Protection must be updated regularly. The organization can install host-based intrusion prevention (HIPS) which can help in monitoring the system looking for user escalation, anomalous behavior, and other non-standard events but only the higher security professionals must have access to that. (Stoneburner, G., Goguen, A. Y., & Feringa, A., 2002).
Conclusion
The process for development of an effective information system security system is highly recommended. The information system is shaped by various threats, and therefore a time-to-time updating of the security system is required for outlining a strategy which can define the success of the organization. It is imperative for the management of the BPM Limited and other organizations to support their information security initiative. The risk assessment along with the professional plan for training the employees is highly recommended. The employees must be informed and persuaded for engaging in the secure computing practice. Finally, the organization must adhere to the ISO Security standards and additional security certifications. The organization must know that the information system is an integral portion of the security process of the information system. The information systems security team of all the organizations must strive towards improving the process and should be ready to provide the best defense against any risks and threats.
Place Order For A Top Grade Assignment Now
We have some amazing discount offers running for the students
Place Your OrderReferences
-
Broderick, J. S. (2006). ISMS, security standards and security regulations.information security technical report, 11(1), 26-31.
-
Cheng, J., Goto, Y., Morimoto, S., & Horie, D. (2008, April). A security engineering environment based on ISO/IEC standards: providing standard, formal, and consistent supports for design, development, operation, and maintenance of secure information systems. In Information Security and Assurance, 2008. ISA 2008. International Conference on (pp. 350-354). IEEE.
-
Davis, D. L., & Davis, D. F. (1990). The effect of training techniques and personal characteristics on training end users of information systems.Journal of Management Information Systems, 7(2), 93-110.
-
Dhillon, G., & Backhouse, J. (2000). Information system security management in the next millennium. Communicationsof the ACM, 43(7)
-
ISO/IEC 17799 Part 1: Code of practice for information security management
-
Liebenau and Backhouse (1990) Understanding Information: an Introduction, Macmillan
-
Mirkovic, J., Dietrich, S., Dittrich, D., & Reiher, P. (2004). Internet Denial of Service: Attack and Defense Mechanisms (Radia Perlman Computer Networking and Security).
-
Mishra and Harris (2006). Human Behavioral Aspects in Information Systems Security. The 5th Information SecurityConference. Las Vegas NV
-
Pattinson M. and Anderson G. (2006), Information Risk Management: Some Social-psychological Issues. The 5thInformation Security Conference. Las Vegas NV
-
Stoneburner, G., Goguen, A. Y., & Feringa, A. (2002). Sp 800-30. risk management guide for information technology systems.
-
Von Solms, B. (2001). Information security—a multidimensional discipline.Computers & Security, 20(6), 504-508.
Give your grades a boost
Just share your requirements and get customized solutions on time.
-
1,168,768 Orders
-
4.9/5 Overall Rating
-
5,052 Experts
