Asset Inventory - Essay Example

? Asset Inventory Asset ID Asset Asset Value Priority Threat Controls in Place ARO Uncertainty Risk Value Controls Needed Action Plan ID 1.People System administrators(trusted employees) Key Persons Dependency(Poor Systems Administration Patterns) $1,000,000 critical Unavailability of the system IT Security Roles and Responsibilities Medium 0 .7 Low 0.05 0.3 Low $19500 Project Management Standard Access Control Standard Availability of Role specific assistance when need arises. Processes IT and business sensitive procedures involving Transmission of Critical Data. Capture of clear text data $10,000,000 low Malicious use, system compromise and unauthorized access Encryption Usage Standard High 0.8 Medium 0.1 0.2 Moderate $240,000 Security Audit Standard. Account Management Procedure Avoid transmission of un encrypted sensitive data Software Application and Operating system software Exploitation of faults in application and operating system software $2,000,000 High Malicious use, Unauthorized use and System compromise Change Management Standard High 0.8 Low 0.05 0.2 LOW $24,000 IT System Interoperability Security Standard Patches and updates from a reliable sources Hardware Internal server Hardware Issues/Equipment Failure or loss Loss or theft of data from server $8,000, 000 Vital System Unavailable Data Backup and System Restore Standard High 0.8 Low 0.05 0.2 LOW $96, 000 Continuity of Operations Planning Standard Equipment failure is addressed by design, policy or the stated practice. Databases Inadequate Database Support Data corruption or loss $500,000 critical Computer crime, system compromise, unauthorized access Data Storage Media Protection Standard Medium 0.7 Low 0.05 0.3 Low $9750 Remote Access Standard Project Management Standard Maintenance of databases is sustained and supported at appropriate security levels Data Disclosure Disclosure of sensitive personal information issues. $100,000, 000 low Malicious use, system compromise, unauthorized access Data Classification Standard Medium 0.7 Medium 0.1 0.3 MODERATE $390,000 Acceptable Use Standard Data is made known only to individuals who have a true operational need for the data. Asset Inventory Introduction An IT oriented company is more prone to information security risks than a regular institution. The company in consideration, Employment Development Department (EDD) provides services to millions of people under Disability Insurance program which is a complex task requiring complete security to its clients. The company also offers other services such as Unemployment Insurance, payroll taxes audit and collection, labor and workforce information among others serving a workforce of over 15 million individuals. The company information assets inventory is conducted using Asset Inventory and Risk Assessment table and shows threat analysis for some selected assets, their associated threats and the top risks faced by the company and the strategies taken to mitigate them. The strategies ensure achievement of goals, management of risks; make use of resources, and carefully assesse the achievement of the information assets security program. Information assets for the company entails all aspects of information may it be spoken, written, printed or electronic. It also covers information handling that involves information creation, viewing, storing or transporting. The information assets that exist in the Company Information assets for this agency encompasses hardware / physical devices that include computer equipment, internal server and Removable Media such as key drives, Data CD/DVDs and portable external) hard drives. Software Applications, operating systems, development tools and utilities are also constituted in the information asset inventory. Processes in computing and transmission of critical data (ccommunications), Information databases, system documents and standards and filled information are integral components of asset inventory. On another note human resource especially system administrators are regarded as information assets. The top risks faced by the company and the strategies considered in mitigating them. The focus of management efforts is primarily on risks that have high probabilities of happening. It is of great importance to create comprehensive list of information asset, associated risks, vulnerabilities and threats. Identification of Vulnerabilities Like any other organization identification of vulnerabilities of Information assets includes; Interviews with the information assets owners and EDD personnel (both operational and technical support); deployment and use of the automated tool; and the review of vulnerabilities noted in Risk Assessment performed at an earlier time. Identification of Credible Threats According to Landoll (2011), a threat is identified as an event that has negative impact on the organization’s information assets and comprises of two elements namely the threat agent (threat source) and the undesirable event (threat action). A threat agent is any person or thing that may cause a threat to happen while an undesirable event is an action caused by a threat agent and conceived undesirable if it poses a threat to a protected asset (Landoll, 2011, p. 125). Credible threats to the information assets were identified by; reviewing previous risk assessment on information assets and examine the threat trends of the past few years; Interviewing the information assets owner and System Administrators with aim of getting credible information about asset-specific threats; and use of the automated tool to identify threats to the information assets. Credible threats identified that are associated with Information assets The following potential threat-sources and associated threat actions were identified. Threat actions posed by hackers are: i. Unauthorized system access ii. Social engineering iii. System intrusion, break-ins iv. Web defacement Computer criminals can cause threats through: • Cyber-Terrorism • Spoofing • Identity theft • System intrusion People within the EDD circles (dissatisfied, careless, fraudulent, malicious, terminated or poorly trained employees) also pose daunting threats in engaging in activities such as; 1) Fraud/Embezzlement 2) Unauthorized system access 3) System bugs and flaws 4) Malicious code (virus, malware or spyware) 5) Disclosure of sensitive data (personally identifiable information) On environmental dimension the threats include: • Fire • Hardware Failure • Power Loss • Network Communication Failure • Electromagnetic Interference • Natural disaster Identification of Risks This activity begins with identification of information assets. Risks were identified for the information assets by matching the noted vulnerabilities with threats that might exploit them. This pairing of vulnerabilities with threats is documented in the matrix. Control Analysis Control analysis entails security controls that are needed for implementation as well as controls that are in place for the information assets. The security controls matches the requirements of the Policy and Standard. Due to the vast network of clients and stakeholders of EDD there is vulnerability of data disclosure. The revealing of sensitive personal information could result in identity theft and/or system access control issues. Threats associated with data disclosure are malicious use, unauthorized access, computer crime and system compromise. As a result there is the risk of confidentiality and integrity of corporate data. As for control, Data classification standard is in place and requires that data to made known only to individuals who have a true operational need for the data. Acceptable Use Standard control is needed for effective action plan. Jones and Ashenden (2005) holds the view that current software in use is increasingly complex and it takes just one minor weakness that has not been noticed and resolved in a particular information system to create a vulnerability of exploitation and attack to users. As systems have become more interconnected, a weakness in one system can cause adverse effects to all other systems (Jones & Ashenden, 2005, p. 150-151). An example of vulnerability in software category of information assets is delayed application of new patches to operating system and applications to adjust flaws in security design. Exploitation of these security flaws in application and operating system software could result in compromise of confidentiality and integrity of data. Patches are installed and in place to correct flaws in application software together with implementation of Operating systems that are difficult to hack such as Solaris (UNIX based Operating System). Server Management Standard requires that operating system changes be applied after undergoing a risk-benefit analysis. Malicious Code Protection Standard and IT System Interoperability Security Standard are needed for complete control. Threat detection controls such as Intrusion Detection Systems and Intrusion Prevention Systems requires close monitoring of critical patch releases. The survey on EDD shows that there is inconsistent compliance to these procedures. Implementation of firewalls at different levels mitigates the occurrence of risk of gaining access to internal EDD network. An EDD firewall protects the Internet connection of all information assets while a Data Center firewall shield the Data Center network. It is also noted that, dial-in access is fixed and strictly controlled for both external users and internal users (employees) who still pose a significant threat. During the process of data transmission login encryption setting is not well configured. This flaw forms vulnerability which can be exploited by a computer criminal and might compromise the confidentiality & integrity of corporate data. This possibility constitutes a threat. This vulnerability-threat match combines to create a risk that data may be disclosed. As noted in the survey, effectiveness of controls requiring encryption of passwords is low, as these controls have not been complied. Physical security controls that are in place limit the exploitation of this vulnerability hence the capability of threat source is consequentially low. Action plan for data transmission require that all data is encrypted as the organization is in the process of completing Interoperability Security Agreements with all stakeholders communicating with these EDD systems. Encryption Usage, Data Classification and Acceptable Use standards are in place to avert the capture of clear text data that could result in identity theft and system access control issues. The skills and expertise of operational and technical team of EDD ensures the success of core business processes of the organization. Moreover the loss of key person could result in inadequate system applications support and cause system downtime if software related flaw occurred, or the inability to maintain EDD system’s functionality. Equally important poor administration practices as a result of dependency on key persons could lead to compromise of the system and expose corporate data to the risk of loss of availability, confidentiality or integrity. IT Security Roles and Responsibilities control in place ensure effective management of human information assets in the organization. It governs human resource involved in the functionality of the EDD information systems. Project Management and Access Control standards need to be strengthened. Another dimension of information assets is hardware such as servers. From the Asset Inventory and Risk Assessment Table Matrix, hardware information assets priority is vital and is among the main important factors that should be considered by information management for better service delivery. As revealed in the matrix, Loss of hardware or equipment would result in the entire system or some portion of the system being unavailable leading to compromise of confidentiality and integrity of data. Inability to access the EDD information systems and recover corporate data may be as a result of server breakdown. As a mitigation to risks associated with hardware failure Continuity of Operations Planning and IT System & Data Backup & Restoration standards are is in place. Internal server access from outside the Company premises is strictly regulated based on Access Control Policy. The controls needed include IT Disaster Recovery Planning which is currently being updated as a result of the recovery during the continuity of operation planning exercise; completion is expected soon. Recovery of the EDD information systems will be reviewed during the next risk assessment exercise scheduled for a later date. Hardware issues such as equipment failure are conclusively addressed by the design, policy or stated practices. Conclusion Landoll (2011) takes a stand that, asset valuation is a required component in determining critical information systems and the ultimate effect on the organization if the information asset is compromised (Landoll, 2011, p. 120). In EDD mission critical and real time processes entail capturing of ever flowing sea of data. As a result the EDD has organized and stored data in a special way allowing intuitive and easy accessibility thus enabling evaluation and implementation of the risk assessment findings effortlessly. EDD fraternity uses thousands of connected computers whose value is considered as a storage equipment of data. These large numbers of computer devices provide value by having contents that can be easily used when shared across networks as information. There are significant benefits seen as a result of existence and use of information in EDD as it enables a thorough understanding of the business functions through the determination of information that is crucial, influence in decision making, when to make decisions, the available information in decision making. On a parting note, information processing definitely has an effect on how work is organized. Work cited Jones, A., & Ashenden, D. (2005). Risk management for computer security: Protecting your network and information assets. Amsterdam, Netherlands: Elsevier Butterworth-Heinemann. Landoll, D. J. (2011). The security risk assessment handbook: A complete guide for performing security risk assessments. Boca Raton, FL: CRC Press. McGill, W. L. (2008). Critical asset and portfolio risk analysis for homeland security. College Park, Md: University of Maryland. Smith, C. L., & Brooks, D. J. (2013). Security science: The theory and practice of security. Amsterdam: Elsevier, BH. Stamp, M. (2006). Information security: Principles and practice. Hoboken, N.J: Wiley-Interscience. Read More