Information Technology Audit of Adams Brick Communications Company - Report Example

?Senior Information Technology Auditor (Section) Due) Given that Information Technology (IT) exists to supportbusiness, understanding the impact of IT to the business and the risks introduced into the business process are vital for an effective audit process which ensures a thorough evaluation and assessment of the internal control environment. The Information Technology Group (ITG) of Adams Brick Communications Company is considered one of the most important departments in the organization given their huge role in ensuring smooth running and operation of the company. The company relies heavily on information technology to meet its goals given that it is a communication company that earns most of its revenue through advertisements. This paper presents a description of an independent audit conducted on security, governance and business continuity assessment of Adams Brick Communications Company’s Information Technology. Introduction As the Senior Information Technology Auditor, it is my responsibility to ensure that the audit committee undertakes reviews and conduct tests and assessments on Information Technology department of the company that will provide management assurance that the business as a whole is operating effectively. Information Technology audit is basically responsible for reviewing both the operational and technical aspects of existing and planned computer systems in addition to assessing whether the risks they pose are significant or has the ability to add to the anticipated business specific risks. Adams Brick Communications Company heavily depends on Information Technology department in order to meet its goals and objectives as a business entity given that it is a communication company which generates most of its revenue from advertisements. The normal and up to standard functioning of the information technology of the company is therefore considered vital for the company’s survival. An audit to assess the company’s IT security and governance therefore comes in handy in ensuring the survivability of Adams Brick Communications Company as a business entity. An overview of the company Adams Brick Communications (ABC) is a multifaceted media company which is based out of Wilmington, North Carolina.  The corporation is located in the heart of the city, with one satellite office in a nearby suburb.  ABC’s primary business is a local newspaper and news website.  They also have multiple small niche magazines that support special interests in the community.  All of these assets are supported through the advertising division of Adams Brick Communications. The company has its advertising division as its backbone given that it’s the main source of revenue even though its overall goal is to provide services to the community Information Technology governance The Information Technology Group (ITG) is tasked with supporting the endeavors of Adams Brick Communications.  It is led by the Chief Information Officer (CIO) and a staff of ten information technology professionals.  The CIO reports directly to the Chief Executive Officer, and is on the same level as the other executive officers of ABC.   ITG, while being led by the CIO, is split into three groups.  A two person networking team, a five person system administration team, and a three person team focused on security.  While the security team is responsible for privacy and security matters, it is mostly implemented by the two other teams.  The IT governance is handled by the Chief Information Officer. The networking team is responsible for the connectivity of Adams Brick Communications.  They are first responsible for ensuring that the business has appropriate bandwidth to support all business operations.  As new hosts are added to the network, the networking team must give them the lines needed to connect to the intranet.   The system administration team handles the equipment at the host level.  They ensure that proper hardware and software has been deployed at each user as needed.  The system administration team is also responsible for taking care of the website; however they are supplemented by contractors that are used as needed for the design and implementation.   The three person security team is responsible for ensuring the overall security posture of Adams Brick Communications.  They do this by working with the networking and system administration teams that all information technologies deployed within the network meet the appropriate security related guidelines.  In addition to this task, the security team works with external security audits to ensure that the level of security that they are trying to achieve is met.   The security program implemented at ABC has been developed to reflect the main goal of protecting the business from external and internal threats while maintaining alignment with the business primary goals.   Security Assessment The overall goal of security audit of information technology is to ensure that the necessary security controls are integrated into an information technology system in addition to outlining the possible security risks. Adams Brick Communications Company has several security measures integrated within the system that ensure various security metrics such as Survivability, Privacy, Confidentiality, Integrity, Availability, Accountability, Reliability and Non-Repudiation. The company has placed various security measures in place in order to ensure security of data and information involved. The company ensures the privacy of both data and information through encryption. It has such software as PGP Desktop and Truecrypt installed which encrypts the entire system’s hard drives. The company should look in to incorporating password protection system which will further ensure privacy and security of data and information from unauthorized access. The password system chosen must be a strong type with a hashing system such as MD5 to prevent possible password cracking by hackers and so like minded individuals within or outside the company. In addition to password protection system, the company could use a software application that hides vital files from public and general access. In order to ensure full security the valuable information in future or even if the company has the means, a higher level of password protection system should be adopted. A system should be adopted whereby the password or pass code to the safe room where the valuable data and information are kept, changes automatically after a certain period of time. The CIO shall be in possession of the pass code gadget in which the ever changing pass code is sent and can be read. Anybody willing to access the information should contact the CIO for access before they can retrieve any valuable information from the safe room. The company should also consider deploying physical security looks in order to restrict unwanted movement in and out of the secluded areas where possible valuable information is generated. The higher number of people in the organization with access to the sensitive rooms increases the security risk on the information that otherwise can be kept safe with a minimized and restricted access. On survivability, the company has employed layering approach in its network in order to ensure the security of the data and information created by the advertising team. The sensitive nature of this data calls for high security measure to be employed given that the company depends on the data for its survival. The company ensures this by fielding layers around the advertising data and information collected and generated by the advertising which are considered the most valuable asset. The layering approach enables the company to logically and physically separate the valuable and sensitive advertising data from the rest of the network. In case of an external network attack, the internal network sustaining the valuable data and information are not greatly affected through the use of the layering approach. Apart from the layering approach used by the company in ensuring survivability, the company has also employed redundant routers and switches in its network system that eliminates the possible risk of internal network failure being taken down in case of a single point of failure. I would recommend that the company keep the number of people that handle such vital data as low as possible in order to reduce the chances of information theft. The company has firewalls and dual routers in place which handle most of the disrupting attacks which could affect the network. This therefore ensures continuous flow of information within the organization’s network hence information availability. The number of hardware firewalls however, is not sufficient to minimize the number of intrusion attacks and protect the organization’s network from unauthorized access and disruptions. The company has only two Intrusion Detection Systems: Snort and SiLK. The advertising business presents a lot of rivalry and competition which brings along a lot of intrusion possibilities given that the business entities involved are always in search of new ideas to stay on top. The other businesses will try to intrude into the network in search of ideas and information they can use to overcome the company. This calls for an installation of increased intrusion detection systems which are more sensitive and active. The use of Apple based work stations for the advertising team is a well played card by the company in order to minimize the chances of intrusion given that apple has a more secure operating system as compared to windows operating system which has a lot of loop holes for intrusion. Apple based work stations uses MAC OS X which are not susceptible to virus and Trojan attacks as compared to windows operating systems. In order to ensure higher security to the data and information at the advertising department, I would recommend the company to adopt Linux operating systems since they are more secure as compared to the Apple based stations. In addition Linux operating systems come integrated with all the network security assessment tools. Linux operating systems are believed to be immune to a lot of attacks since it comes with almost all the necessary security measures installed unlike windows operating system with a lot of security loop holes that a potential hacker can easily utilize in order to compromise the security of the system. Even though windows operating system has a simple and great user interface as compared to the other operating systems such as Linux and MAC OS, its security is quite easy to compromise. I would recommend that the company reduce or phase out the window based work stations and adopt more Apple and Linux based work station in order to minimize the security risks presented by the windows based workstations. The company has close to 300 windows based workstations which is close to have of the whole system. In case of a virus attack, almost the whole system would go down given that windows operating system presents a platform for an easy spread of computer virus. The company should consider employing network filters that filter all the traffic directed to the company’s network before they reach the network hence preventing possible attacks. The snort signature deployed by the company detects increased traffic within the network that can results in to the possibility of denial of service attack. This form of security risk is placed under control by the snort signatures which detect the traffic when it reaches a certain threshold believed to contain possible attacks. In order to ensure accountability a water-tight security measure has been put in place by the company through the use of logging system which records the entire log in attempts to secured data (both successful and failed attempts). The system keeps the event logs including screenshots of the pages accessed plus the time of access. All the information is stored in a secured server which avails the information when needed. The information collected can be used to improve on the security system since it is helpful presenting the vulnerabilities of the system which needs improvement. The company should look in to adopting a system which will alarm the CIO and the relevant data security individuals in case of failed log in attempts to encourage a quick response in case of data theft by unauthorized access. Both host based and network based defense should be deployed in order to ensure information security in terms of reliability. Effective antivirus software from an approved vendor should be installed in all the windows based workstations to ensure security from malware, Trojan and virus attacks from external networks including removable hardware such as pen drives from within the organization. For a full security using the antivirus software, regular updates should be installed at an interval of at least a period of 24 hours since the virus database run out of date. The company, through the Information Technology Group (ITG), should adopt a policy of formatting the all the virus infected hard drives after information backups in order to avoid further spread of the virus in case of an attack. Host based security sensor, OSSEC, can be used to complement the antivirus software installed in the workstations in ensuring security. Snort deployment on both sides of the external router by the company ensures security on the network based defense given that it has the ability to detect the attacks that overcome the firewall in addition to directly detecting traffic on the internal network. A SiLK sensor is used to store the traffic. Conclusion According to the results of the security assessment, the company can be considered secure. However, the suggested recommendations should be given a consideration in order to maximize the company’s security and minimize potential security risks presented by the loop holes present in the current security system as discussed. Top of Form Bottom of Form Read More