Risk Management of UAE Academy - Case Study Example

? Full Paper Risk Management Plan Managing risk is a vital discipline for every organization for achieving its goals and objectives. As information systems are considered as critical assets for organizations, Information system risk management has become more important, particularly with the ever changing risk climate. However, the risk management process must follow a process of periodic assessment for continuous improvement. The risk management framework for the ‘UAE Academy’ will primarily address the purpose followed by risk process, risk identification, Risk analysis along with qualitative or quantitative risk analysis, risk response planning and risk monitoring controlling and reporting. The risk management process includes: Risk Management Process The risk manager of UAE Academy will align with the key stake holders to ensure that risks are actively identified, addressed, and managed throughout critical assets, networks and databases. It is better for UAE academy to address risks as early as possible in order to limit the impact of a threat afterwards. However, along with risk management, the risk manager will also implement a periodic risk management program that will address risks on continuous basis. Identifying Risk Risk identification is a joint effort, as UAE academy wants to protect the data network, email services, protection from the WWW and external sources and protection of shared storage resources. Likewise, this process will incorporate key stake holders or system owners to identify risks pertaining to their systems and applications. Moreover, a risk management log must be maintained that will be maintained electronically at a specific location. Risk Analysis This process involves the measurement and calculating the impact of identified risk based on quantitative or qualitative risk analysis. Quantitative risk analysis includes numeric values such as costs of information assets. Qualitative risk analysis is associated with organization reputation and customer satisfaction such as intangible assets i.e. university rankings of ‘UAE academy’. However, data classification scheme must be defined at this point so that effective risk analysis can be conducted. Likewise, data classification scheme is defined by application and system owners, as they have insights of their systems and applications. Risk assessment is carried out on the basis of the three fundamental triads of information security i.e. Confidentiality, Integrity and Availability. However, risk assessment comprises of four options i.e. Risk transfer, risk acceptance, risk avoidance and risk mitigation. A comprehensive risk assessment template is demonstrated below in fig 1.1, 1.2, 1.3, and 1.4 respectively. Asset Valuation Scheme Scale 1 2 3 Definition Loss of C/I/A is acceptable Loss of C/I/A is acceptable. If it occurs, workaround can be arranged Loss of C/I/A is acceptable. Need preventive measures on immediate basis Figure 1.1 Risk Assessment Threat Name Affected Assets CIA Asset Value = C+I+A Likelihood of Occurrence Level of Impact Risk Exposure Counter Measures Controls Poor System Performance Virus Attacks Unauthorized Access Figure 1.2 Likelihood of Occurrence Levels 1- Very low 2- Low 3- Medium 4- High 5- Very High Figure 1.3 Impact Classification Levels Potential Business Impacts Business Operational and Financial Impact Legal and regulatory obligations Loss of Reputation Personal Information 1- Very low 2- Low 3- Medium 4- High 5- Very High Figure 1.4 Risk Calculation Formula: Risk Exposure = Asset Value x Likelihood x Impact Level Disaster Recovery Plan Description Likelihood and Impact Detection Immediate Action Later Action Effect on Users Mitigation and Contingency Single Disk Failure Medium Warning Replace failed disk Order new disks. Have existing disks destroyed. No effect Monitoring of RAID volumes. Keep replacements drives available. Unauthorized Access Low Periodic Auditing of logs along with application logs Restore modified content. Repair security breach. Determine root vulnerability. Low effect on users. Determine root vulnerability. Repair vulnerability. Data loss Low Warning Restore data from hot or offsite backup. No later action necessary. Users will not have access to their data. Hot and offsite backups in place. Software failure for each key piece of software used Medium Warning Update/repair software. Update/repair software. Users will not have access to software. Update software to latest stable version. Multiple machine failure Low Warning Repair machine, replace machine with hot backup machine. Repair machine, replace machine with hot backup machine. Order new hot backup machine. Low effect (failover). Performance will be compromised. Monitor machine health with Nagios. Software failure Medium Warning Update/repair software. Update/repair software. Low effect or no access to software. Update software to latest stable version. Capacity overload Medium/High Warning Bring on additional servers (hot backup servers) (5 hours). Check power load of new servers. Allocated additional power as part of data center agreement. Performance degradation. Monitor capacity. Loss of building through fire, flood etc. Low Warning from hosting providers Move application to backup data center (hot). (5 hours) Move back to primary data center (when available). No access to software. n/a Local network failure Low Warning Repair network / replace switches (hot) or move to backup data center. (5-10 hours) Replace failed hardware. No access to software. Hot backup data center in place as well as hot backup switches. Power failure (generator down at data center) Low Warning, Warning from hosting provider. Move application to backup data center (hot). (5 hours) Move back to primary data center (when available). No access to software. Hot backup data center in place. Loss of Internet Connection Medium Warning Switch to (hot) backup T1 connection. (5 hours) Switch back to primary T1 once enabled. No access to software. Hot backup T1 connection in place. Figure 1.5 Business Continuity Plan Name Telephone Number Alternate Number Other E-mail Business Continuity Coordinator 1st Alternate 2nd Alternate Figure 1.6 Business functions/processes Departmental Business Function Maximum allowable outage Impact Dependencies Will other business processes cease without your business processes operating? Figure 1.7 Identification and evaluation of scenarios, risks, events and threats Scenario, risk or threat Description Impact on Mission Critical Functions/Processes Mitigating Activities/Strategies Additional Activities/ Strategies To Be Considered General Strategy Options for Recovery Does scenario warrant business continuity plan? (Yes/No) Fire leading to a loss of building and contents Isolated building loss. Utilities and University supported network services are intact at other campus locations. Examples include: Information technology Data loss Servers not recoverable 20% reduction in service (due to multiple service locations) Halt of all operations (all services provided within same area) Backup tapes stores offsite Vital records stored electronically/off-site Implement a process to perform a backup restoration Relocate IT services to Department ___. Exercise emergency rental agreement for server and workstation recovery to restore departmental operating capacity to 20%. Other examples may include flooding, and storms that lead to the loss of utilities, loss of network, etc. Backup generators Manual work around procedures Maintain documentation of backup generator testing centrally Figure 1.8 Implementing an Information Security Awareness Program If an organization has reached its desired state, concluding that information security governance is at the optimum level, information security procedures are efficient and resilient, still human threats cannot be prevented. There is a requirement of information security culture, awareness and training because people are the biggest risk (Isaca, 2011) that cannot be eliminated but can be prevented to an acceptable level or can be stated as residual risk. Requirements that are highlighted in the case study indicate that security education, training, and awareness program for faculty staff and students is essential. There are many Information technology awareness models that emphasize on aspects of information security and related risks. NIST SP 800 is the best model that will utilize the Instructional System Design (ISD) model. Likewise, the IT security awareness program demonstrates best practices in terms of instructional security awareness training and education programs (SANS InfoSec reading room - security awareness, n.d). The existence of this model includes the requirements of many federal regulations. Awareness is not meant to provide guidelines to follow; instead, it is a briefing or presentation. Likewise, awareness focuses on a broad spectrum. The NIST SP 800 illustrates three discrete levels that represents IT security training i.e. beginning, intermediate and advanced (SANS InfoSec reading room - security awareness, n.d). The first level i.e. the beginning focuses on the novice users. Likewise, this level provide foundation level training for the staff in order to support specific ‘security role’ performance. Moreover, training at the second level i.e. the intermediate level focuses on trainees to enhance there in depth knowledge related to information security and skills. Moreover, intermediate level focuses on both users with foundation knowledge and specialized knowledge. The last level i.e. the advanced level focuses on IT security professionals and technicians working for UAE academy to implement skills and knowledge achieved from training in level one and level 2. Specifying Target Audience The first step is to target the audience and categorize them in to two sections i.e. Technical Audience and Non-Technical Audience. Technical audience includes Information system security officer, information security manager, security analyst, security officers, network administrators, system administrators, database administrators, system programmers and application programmers (SANS InfoSec reading room - security awareness, n.d). Non-technical audience includes executive managers, departmental managers such as IT manager, Network operations manager, Database managers, system owners such as database, Wide area network, local area network and other personnel that may be involved. As mentioned earlier, that the internal staff of UAE academy poses a great security risk because most of them have administrative access to the systems and Interne. Training will aware and educate internal staff by defining the impact of the risk associated with them. Moreover, training will definitely mitigate risks related to access management. As technology is always changing or advancing at a rapid pace, IT common body of knowledge is also increasing at a rapid pace. NIST SP 800-16 constituted a core body of knowledge (CBK) that is a pre-requisite for a role and performance based security training. Topics that are included in the CBK are (SANS InfoSec reading room - security awareness, n.d): Laws and regulations IT security program System environment System interconnection Information sharing Risk Management Life Cycle controls Management controls Operational controls Technical controls Awareness, training, and education Handling sensitive and classified information These topics serve as the foundation of an effective and adequate integrated security training and awareness program for UAE academy. Designing and Constructing Awareness and Training Program As per the current requirements of UAE academy, there must a systematic approach to address specific requirements for each domain of people. The primary objective of a security awareness program is to achieve security goals. There is a requirement of understanding people to be untreatable risk but preventable to some extent. This is because they do not know what is right and therefore awareness and educational training are the most effective solution to this issue. A study conducted by (D’Arcy, JohnHovav, AnatGalletta, Dennis, 2009) demonstrated significant improvement in the domain of information security management of the organization, only because of an effective awareness and training program. Business Impact Analysis Business Impact Analysis (BIA) is a process of discovering in depth procedures of any production related processes. Likewise, BIA will define workarounds, procedures, shortcuts and various types of failure that may disrupt business processes. However, there are some questions that must be answered by the key stakeholders before constructing a business impact analysis. These questions are (Cannon, n.d): What processes do you perform? Who do you perform these actions for? What tools, equipment and systems do you use? What request, event, or system provides an indication for you to start work on the subject (input)? Get/Show examples of the work the person performs (processes). Do multiple processes exists? If so, be sure to document each process for later review. Who is the key vendor, and alternate vendor? What is the time sensitivity of the process? What is the basic priority of the process? Where do you record your work (output)? Who uses the output of your process next, and who depends on your output? What happens if the process is not used, not available, not performed, not accepted, What are the other methods could you use to accomplish the process? Are there workarounds or alternate processes that might already exist? Would the alternate procedure really work? How can you test it, or has it already been tested? Business impact analysis template is illustrated in Fig. 1.9 and Fig. 2.0 below: BU Name Head Count Parent Process Priority Ranking RTO RPO PP Depends on PP Required by Figure 1.9 Sub-Process Priority Ranking RTO RPO SP Depends on SP Required by Quantitative Impact Figure 2.0 Incident Response Plan Information Technology Contingency Planning facilitates the construction of processes and procedures to recover an adverse event or any kind of disruption or disaster in a business process of an organization. However, IT contingency planning comprises of several core planning documents i.e. Business Impact Analysis (BIA), Business Contingency Plan (BCP), Incident Response Plan (IRP) and Disaster Recovery Plan (DRP) or other relevant documents (Knapp, n.d ). Likewise, the IRP is responsible for planning all the processes linked with the “definition, identification, classification, response and recovery from an incident” (Knapp, n.d) Hiring a Security Staff For UAE Academy, following security staff is required: Business Continuity and Disaster Recovery Staff Position: Information Security Analyst (3 to 4 Year Experience Required) Job Description: Perform supervision of systems for detecting and mitigating IT threats Coordinate with design and development associated with vital risk indicators. Conduct regular meeting with the system owners to define security requirements aligned organizational objectives Have awareness of Public Key infrastructure along with encryption, ciphering and RSA. Constructing and executing implementation plans associated with networks. Providing information security awareness trainings to users Skills Required: Through knowledge of Virtual Private Networks, Firewalls, Intrusion Detection Systems, CISO based firewall knowledge (Desirable) Through knowledge of authentication procedures such as RSA Understanding of Digital Forensics Through awareness of LAN, WAN, DSL, PROXY, able to configure and manage Wintel Applications and Servers. Information Security Manager (5 to 6 Year Experience Required) Job Description: Define Information security strategy document for the Academy Drive a steering committee for ensuring alignment of security initiatives with the academy and to minimize security oversight issues. Define a business continuity plan Define business impact analysis Maintain an information security framework within the organization Monitor the progress by defining control objectives against which Key Performance Indicators (KPI) and Key Goal Indicators (KGI) must be defined and monitored. Practice I.T governance and aware senior management to get visible support Skills Required: Candidate for this job must have a successful information security management track record of working in institutional or educational organizations/colleges/universities (Desirable) Must hold professional level certifications COBIT 4.1, ITIL, CISSP or CISM Analytical thinker and proactive approach towards information security initiatives Review and define policies, procedures, standards References Centers for disease control and prevention Retrieved 3/22/2012, 2012, from http://www.cdc.gov/ Cannon, D. CISA certified information systems auditor study guide Sybex. D’Arcy, JohnHovav, AnatGalletta, Dennis. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79-98. Isaca. 2011, CISM review manual 2011 Isaca. Knapp, K. J. Cyber security and global information assurance: Threat analysis and response solutions (advances in information security and privacy) Information Science Reference. SANS InfoSec reading room - security awareness, n.d Retrieved 10/6/2011, 2011, from http://www.sans.org/reading_room/whitepapers/awareness Read More