Security Breaches in UCLA - Assignment Example

Running Head: Security breaches in UCLA Your name Course name Professors’ name Date: Historical Analysis a) Definition of terms When we talk about information security breaches, we look at various important aspects and factors that can amount to a security breach. In the analysis of information security breaches we have to define these terms: Threat: This is the means by which a given computer system attack can occur. A threat depends on the existence of a particular vulnerability within the system or organization. Threat assessment tends to look at prudent practices and measures to be carried out in order to secure a system and its vital information. Threat assessment can be carried through simulated practice attacks so as to know threat outlines and come up with counter measures against these threats. In some scenarios, threat assessment focuses on the attacker’s potential to carry out an attack and the resources which could be used to execute an assault. These scenarios could be countered by ensuring that the cost of a successful attack overwhelms the cost and resources required to carry out an attack, thus making attacks costly. Threat assessment is usually carried out in order to come up with security policies that guide on information; the implementation of these policies will be significant in securing information or resources. Vulnerability: This can be defined as security faults or errors within a system that could lead to a successful attack. The assessment of vulnerabilities should be done on an on-going basis since errors either human or system occurs on a regular basis. Vulnerability assessment also helps the organization come up with security policies on how to respond to new treats and maintain security. Within an organization vulnerabilities are not technology specific and due to the ever increasing pace of technology, new vulnerabilities such as hacking and cracking are on the rise. Employees have to be trained on prudent counter measures to prevent vulnerabilities that might lead to a successful attack. Risk: It is the probability of a targeted attack being successful. It can also be defined as the extent of exposure to a given threat. Risk assessments are usually conducted to determine the immediate security measures to be undertaken; they are time constraint and have to be conducted immediately. In risk assessment we look at potential security breaches and important issues to be addressed, such as the cost of a successful attack and probability of an attack. Risk assessment helps an organization to budget on security costs and to prioritize security policies to be implemented as quickly as possible. Impact: When a security breach occurs or when a successful attack has been carried out against an organization, we look at the impact of the attack. Impact refers to cost, damage and other effects on the organization as a result of information illegal access. When we are assessing cost impacts, we have to look at business lost due to breached resources; cost of replacing stolen resources or even cost of implementing security measures and recovery of lost data and resources. Impact assessment is very critical since it enables an organization to plan on security that must be put in place; security policy to be adopted and responsible parties for the adoption of the set security measures. b) Observations The observations that were made in terms of ‘security and assurance’ issues, in relation to readiness of UCLA in implementing PDCA processes put in place can be summarized as follows. The PDCA processes are made up of four critical stages namely: Plan: This is the first step in PDCA model phase and it deals with the establishment of an information security management system. Within this phase, the activities to be undertaken include: defining an ISMS scope, defining an ISMS policy (rules on how to handle security issues). More so, we have to identify and asses security risks within the organization; how to handle or control these risks and controls on security risk management. Finally we have to prepare a document on the application or implementation this phase. The observations made on UCLA plans on this PDCA action, show that they prepared a plan of action on security issues by coming up with an information security policy as shown in its website1. This has shown that the UCLA’s CIO in consultation with other staff came up with ISMS after evaluating risks. This policy shows persons responsible for security risks and other guidelines stated in the ISMS policy. Do: The second phase of PDCA, this phase deals with the formulation of a risk administration procedure and how this hazard administration procedure is going to be executed. This phase also deals with implementation of controls that meet objectives of the risk management plan. The do activities are supposed to achieve risk management implementation as outlined in the ISMS policy of the organization. Within UCLA risk management plans that have been formulated include: Risk assessment tools as set within the UCLA’s website, in addition, they have provided for a high risk processes document and other data security controls such as access controls and physical controls which help mitigate risks. Check: Another phase of PDCA, this phase is made up of four activities which emphasize on monitoring and review of ISMS. Four processes are; execution of monitoring measures, regular review on effectiveness of the ISMS, reviews of tolerable and enduring risks; internal auditing of the ISMS at different levels. Within these phase, we have to monitor controls taken to ensure that certain risks are handled and review if these security controls taken are effective in handling risks. In UCLA security controls taken are monitored by a security officer who is responsible for monitoring and review of security controls. Act: The last phase of PDCA, it talks of implementation of improvements suggested on the ISMS and this should be conducted on a regular basis. This phase activities focus on implementing improvements of the ISMS, this is to be done by taking corrective and precautionary actions. After this is done, the results must be communicated to the right parties who must agree with these improvements. The improvements of the ISMS must meet the objectives of interested parties like management and system users. UCLA has implemented the PDCA activities according to BS 7799 part 2 which has made the University ready to handle risks and to implement security program processes such as identification and access management. Security controls taken include authentication, authorization and access controls which help the University keep log of its users and determine persons responsible for data access and manipulation. These controls prevent outside access to University data; other security measures taken by UCLA are data encryption to keep user data safe. 2. Current analysis a) Review of materials The CoBIT (Control, Objectives for Information Technology) 4.1 is a framework for IT governance within an organization. It constitutes best practices for IT management and it provides IT experts and managers with set of processes, measures and indicators to assist them in maximizing benefits to be derived from IT. CoBIT 4.1 constitutes of four domains and 34 control objectives under the 4 domains, use of CoBIT 4.1 has led to development of policies in the management of IT and best practices to be undertaken by an organization to meet its goals. Benefits accrued from CoBIT 4.1 include: Alignment of business goals and IT in the organization. Responsibilities of processes within the organization. Better relationship between different stakeholders. Better management of IT processes. The four control domains that are to be discussed are: a) Planning and organizing: - This is the first domain in CoBIT 4.1; this domain has ten IT processes falling under it which defines a strategic IT plan to be undertaken and how it should be carried out by the different employees of an organization. The processes are: PO1, Define a strategic IT plan- here we look at the needs of the organization in this case the needs of UCLA in terms of IT management and define how to handle their needs through the strategic plan. PO2, define the information architecture: - Concerned with how the information structure at UCLA is organized, here we look at how information is generated; how it’s used and stored. At UCLA there is a security program assessment program handles this process. PO3, determine technological direction: - Within the UCLA they have implemented technologies such as wireless networks as noted in its encryption final document of April, 2006. This shows the technological implementation aspects within UCLA2. PO4, define IT processes, organization and relationships: - in this case we look at all the IT processes that need to be conducted within an organization. In UCLA they have defined IT process within the campuses, how these processes are organized and relationships between processes and its users. This has been done through a work group report. PO5, manage the IT investment: - concerned with management and protection of all IT implementation within an organization. Despite the fact that there is no evidence of its implementation at UCLA. PO6, communicate management aims and direction: - this is to communicate to every stakeholder within an organization, what the management aims to achieve with use of IT, done in UCLA through the use of work group report on its website. PO7, manage IT human resources :- This process is concerned with the management of employees who work within the IT department of an organization, done by defining their roles in IT management and how they are organized in the IT department. In UCLA human resources has been managed through the University’s management guide and its work group report as shown in its website. PO8, manage quality: - This process is concerned with management of IT through use of standards in order to bring about quality. The UCLA’s way on managing quality is done through the use of management guide, this guide shows how IT resources should be handled in order to maintain quality. PO9, assess and manage IT risks: - This IT process is concerned with how to analyze risks that might occur, their effects on the organization and how to handle or manage such risks. The UCLA campus has a way of conducting this process, the risk assessment tools of UCLA helps them to mange risks and effectively operate even with existence of these risks. PO10, manage projects: - This is the last process within the first domain, this process is concerned with project management, the process covers on how to plan, implement and manage IT projects. Project management is concerned with organization of resources in order to implement a certain task; at UCLA their policies help them in project management since it handles various parts of the University such as resources, work guide report and major IT security issues. b) Acquisition and implementation: - This domain covers on areas of identification of the organization’s IT requirements, acquisition of technology and implementation of these technologies in order to meet the business objectives of the organization. The domain mainly focuses on the IT management plan in order to extend the life and use of IT systems within the organization. Below are process within this domain: AI1, identifies automated solutions: - This IT process is concerned with the looking for automated solutions that help the organization deal with its problems. Such solutions include implementation of ERP solutions or security solutions3. The UCLA campus has agreements with different vendors of automated solutions; these vendors have supplied the campus with automated solutions. This is evidenced by the ‘GLBServiceProviderAddendum_v13.DOC’ agreement document at the University’s website. AI2, acquire and maintain application software: - This process is concerned with the acquisition of software’s necessary to run hardware machines and achieve certain functions. The UCLA has purchased this software’s, such as encryption software’s this is evidenced by existence of an ‘EFTPCSecurity-5-2006_Final.doc’ document which guidelines on configurations of processes. AI3, acquire and maintain technology infrastructure: - This process deals with the acquisition of a technological infrastructure, technological infrastructure such as a physical and logical networks will be used in supporting the IT framework within the organization. UCLA runs on highly effective network, this is seen though existence of a wireless networks in the University thus an added advantage within the University. AI4, enable operation and use: - This process is all about operating the IT solutions which have been acquired by putting these resources into the required use or purpose. The UCLA University has been using IT resources it has acquired into varied required functional uses. AI5, procure IT resources: The process of procuring IT resources deals with employing of human resources and employing other resources needed to run the IT infrastructure. Within UCLA the existence of online security training shows that they have human resources needed to control IT resources in the University. AI6, manage changes: - The process of change management concerns how to handle activities due to changes in the IT environment within an organization. UCLA has online security training programs and they do conduct user education frequently. These programs are geared towards managing change in the University in order to handle different situations. The ‘elecinfo_assessment.xls’ document of UCLA is a document which shows different processes and their expected outputs with set deadlines. AI7, install and accredit solutions and changes: - This process is concerned with the installation and acceptance of the solutions in use, however these solutions have to be monitored. Changes to the system have to be well thought and accepted by experts within the organization. The recognition process of solutions at UCLA is between vendors and the University who have recognized certain solutions that are necessary for them to acquire and use. c) Deliver and support: - This is one of the important domains within the CoBIT 4.1; this domain consists of 13 processes which focus on these areas, execution of applications necessary within the IT environment of the organization. The domain also focuses on the results of this applications and support processes that lead to efficient and effective IT systems. Such processes include training program and security concerns. Below are IT processes within this domain: DS1, define and manage service levels: - This process is concerned with the identification and management of service levels i.e. at what intervals will the system need to be repaired or be maintained, the sectors to be maintained and how will the service be managed. The UCLA has defined such service levels in its ‘EFTPCSecurity-5-2006_Final.doc’ document. DS2, manage third party services: - In this process, the organization undertake activities which manage third party services such as maintenance and updating of software solutions which are non- core activities of the University. At UCLA this process is taken care of by agreements with vendors who manage these third party services. DS3, manage performance and capacity: - This process is all about the management of how the system will perform and capacity the system has to handle various activities. Within these processes, performance factors such as speed, storage and errors have to be looked at in a proper way. DS4, ensure continuous service: - This process is geared at ensuring that the system continues to run effectively without any errors or glitches. This is done by regular servicing of IT equipment and updating software solutions, at UCLA this process is conducted by vendors and agreements with suppliers. DS5, ensure systems security: - This process deals with ensuring that the security within the system is upheld, done through security controls being put in place such as access controls. Within the UCLA security measures that have been taken include online security training and security incident handling as shown in its website, these measures are implemented to ensure there is better IT governance. DS6, identify and allocate costs: - This process in concerned with the identification of applications or solutions needed and security measures to be undertaken, thus we have to allocate costs to ensure that these measures are undertaken effectively. The UCLA has policies in procuring for applications and it has signed vendor agreements, as a result this process has been undertaken well. DS7, educate and train users: - This is an important process that focuses on training and education of users on how to undertake and manage IT activities within an organization. At UCLA there is an online security training program and other program that ensure users are trained on IT governance. DS8, manage service desk and incidents: - This process focuses on management of simple user tasks at the user terminal and incidents which occur when using IT systems. The UCLA has a policy on handling of service task and incidents, it has a dedicated security officer to handle these incidents and in its website, there is a security handling module which gives directions on handling of security incidents within the University. DS9, manage the configuration: - This process is geared towards the handling of arrangement of different IT equipments. For example network configurations can be conducted by a system administrator. The UCLA has several system administrators as shown by the ‘elecinfo_assesment.xls’ document, which shows administrators for each different department such as medical centers and campuses. DS10, manage problems: - Problems within the organization are varied and of different natures, thus this process aims at managing such problems. Within the UCLA problems are quite many, such as access problems that can be controlled by proper staff training and risk assessments. The UCLA security programs have design mechanisms of handling problems in this process. DS11, manage data: - When new talk of data management we look at issues such as storage of data, keeping data safe from intrusion and other data related issues. Within the UCLA data management has been undertaken through securing of data by encryption guidelines and methods employed by the University. The University has a log management system to trace on data handling and responsible parties. DS12, manage the physical environment: - The physical environment is the location where all IT resources and human resources interact in order to achieve certain objectives. We must be able to manage the physical environment in order to achieve the goals of the organization in an effective manner. This approach has been undertaken by UCLA in designing programs such as safe computing and academic computing services which have made the physical environment conducive for IT activities. DS13, manage operations: - Management of operation consists of all activities that are necessary in ensuring smooth operations in the organization. Operations that need to be managed include security controls, risk assessment, work policy and other operations. At UCLA they have campus policies which ensure that different departments have their own security, risk and data management policies which help the campuses manage their own operations. d) Monitoring and evaluation: - This is the last domain in CoBIT 4.1, this domain handles processes which assess the organization goals and whether the current systems in place address the organization’s strategies and needs according to purpose of their design. Monitoring deals with evaluation of organization’s IT system effectiveness, conducted by external and internal auditors to determine ability to satisfactorily meet the business goals and objectives of the organization. Below are processes in this domain. ME1, monitor and evaluate IT processes: - This process is conducted in order to scrutinize the IT processes which are important and crucial in meeting the organization’s objectives. These processes have to be evaluated against certain measures such as cost, reliability; within UCLA there is a monitoring and evaluation process, where they monitor processes and evaluate to come up with policies. This is evidenced by the management guidelines set and supported by the University’s proposed policy4. ME2, monitor and evaluate internal control: - This phase deals with the examination of internal controls of the organization, such as roles of different employees and IT management guidelines. These controls must be constantly appraised in order to achieve better IT governance. In UCLA, IT governance policies such as work group report and management guide ensure that the University handles its IT resources prudently5. ME3, ensure regulatory compliance: - Regulatory compliance in IT is very important; regulations help an organization to conduct its operations within set laws or industry specifications. At UCLA regulatory compliance is adopted and followed by use of security program assessments and policies which are in line with set industry guidelines6. For example, data security is managed according to ISO 17799 standards at UCLA. ME4, provide IT governance: - This process is concerned with provision of an agreed strategy and policy on management of IT resources within the campus. IT governance issues include security management, IT infrastructure management and other IT related issues. Governance is all about setting controls for all IT processes and in UCLA governance has been achieved by the use of policies and guidelines put in place to ensure IT resources are managed prudently. Below is a figure to show the assessment of CoBIT 4.1 processes within UCLA and their implementation levels. COBIT DOMAIN 1 2 3 4 5 6 7 8 9 10 11 12 13 Plan and Organize 3 3 3 4 2 3 3 3 4 3 - - - Acquire and Implement 2 3 3 3 3 2 3 - - - - - - Deliver and Support 3 2 3 3 4 3 4 3 4 3 4 3 3 Monitor and Evaluate 3 4 3 3 - - - - - - - - - The labels 1 to 5 are explained below to show if the implementation was well conducted. 0 Ignored – Here is no existence of any processes, the University did not identify any issues. 1 Poor execution – The University recognized presence of issues which needed addressing, however the way they were executed was poor. Execution is based on individual level and execution is limited to the problem. 2 Arranged and managed- The processes have been recognized and here there is high level on reliance on individual competences. Within this level, errors are prone to be found. 3 Well described and discussed – Within this level the issues are well understood and documented. The execution of the procedures is done through training. The procedures are common practices which are not difficult to handle. 4 Administered and quantifiable – The management closely monitors these procedures and put measures on the results. The results are critical for the continual improvement of measures. Automation and other tools are used in the procedure on limited basis. Shows that the process does not exist in the CoBIT 4.1 domain. 1) B) ISO 17799 sections 5-15 The ISO 17799 section 5-15 covers a wide range of issues to deal with security within an organization. Each section of ISO 17799 deals with different security issues as discussed below. Section 5:- This section talks of information protection and handling through various means such as: Classification of information owners, inventory of all information, information classification procedures such as labeling. Within the UCLA, information protection mechanisms taken include, some data being marked restricted and protection of this data as shown in the University website. Section 6:- This section touches on issues to deal with employee recruitment and how employees should handle security concerns within the organization. In this section we look at controlling recruitment process through offering non-disclosure contracts, doing employee background checks. Security training programs is also a part of this section, at UCLA these programs have been implemented through online security training programs and security incident reporting techniques within the University as evidenced by this site. Section 7:- This section is made up of three important activities which need to be carried out in order to conform to this standard. We should first use secure areas to protect facilities such as equipments and we should come up with strategies of accessing these secure areas. The second activity is to protect equipment from hazards such as security hazards like securing power cables. The last activity is the control of access to information and property. The UCLA campus has taken these measures by setting controls against property and information through set guidelines in the ‘elecinfo_assessment.xls’ document7. Section 8:- This is the largest section in the ISO 17799 and covers on several issues that include: operational procedures; development plans for future capacity building; protection against malicious software; establishing back-ups; safeguarding of computer networks, protection and controlling of computer media and control of inter-organizational exchanges. Within UCLA these controls have been implemented although not in full scale, some of the controls implemented include configuration guidelines and safeguard of computer networks. Section 9:- This section is concerned about access rights, how to control access rights or how to protect networks by use of access rights. The protection of computer resources by use of access rights should be restricted to the operating system level and other protection techniques such internal network controls are found in this section8. Within UCLA these controls are controlled by the IT department and security policies set in its website. Section 10:- This section is concerned with system development and maintenance; it deals with the development of systems which will be used to effectively run the organization and how to maintain these systems. Within UCLA they have agreements with vendors to supply solutions for use in the campus and these solutions are maintained by vendors but the University employees are trained on operation and maintenance of these systems. Section 11:- In this section we look at business continuity management, these are issues that deal with how IT will be used to achieve, maintain business goals and strategies of the business. In UCLA they have management guide and policies which ensure business continuity and management of policies to achieve their business goals. Section 12:- This section is usually seen as the last section of ISO 17799 and its covers on compliance issues such as legal and regulatory laws. In this section we usually look at compliance with legal requirements such as security requirements, property rights and data processing facilities. This section also deals with keeping security and operational audits, such activities include keeping logs, cryptographic checks and controls. At UCLA they have a system of keeping user logs and data encryption techniques as a form of data protection. The assessment of ISO 17799 can be summarized by the table below showing levels of implementation at UCLA. ISO 17799 SECTIONS 1 2 3 4 5 6 7 Section 5 3 3 - - - - - Section 6 3 4 3 - - - - Section 7 3 3 4 - - - - Section 8 3 2 4 4 3 4 2 Section 9 3 4 3 3 3 - - Section 10 3 4 3 - - - - Section 11 3 3 2 3 - - - Section 12 3 4 4 - - - - The labels 1 to 5 are explained below to show if the implementation was well conducted or not. 0 Ignored – There is no existence of any processes, the University did not identify any issues. 1 Poor execution – The University recognized presence of issues which needed addressing, however the way they were executed was poor. Execution is based on individual level and execution is limited to the problem. 2 Arranged and managed- Here processes have been recognized and here there is high level on reliance on individual competences. Within this level errors are prone to be found. 3 Well described and discussed – Within this level the issues are well understood and documented. The execution of the procedures is done through training. The procedures are common practices which are not difficult to handle. 4 Administered and quantifiable – The management closely monitors these procedures and put measures on the results. The results are used to continuously improve the procedures. Automation and other tools are used in the procedure on limited basis. Shows that the section does not exist. Read More