Principles of Information Security - Essay Example

Principles of Information Security Faculty Table of Contents I. Introduction II. Information Security context II.1. Scope II.2. Policy II.3. Risk assessment method II.4. Existing security status III. Risk Analysis III.1. Baseline Controls IV. Risk Treatment VI.1. Justification VI.2. Security program plan V. Conclusion VI. References VII. Appendix VII.1. Risk registers VII.2. Risk treatment tables I. Introduction The paper is to produce an ISMP for the Assessment section of the Faculty of Business at the University of Southern Queensland. This focuses on the specific problems outlined in the case study. In the case it is required to analyse the problem faced by the Assessment Office and provide control recommendations. II. Information Security context Information systems of any type have to deal with various types of risks/threats. The threat may be accidental, internal or from external sources. One can not eliminate total risk for any information system but by following certain guidelines, controls the nature of risk can be eliminated or reduced. II.1. Scope The paper is about to produce an ISMP for the Assessment Office. In this paper the focus is only on the areas of concerns that have been identified by the Assessment Office. It was required to take care of the two sections of IS 18 that had been identified but not followed in most circumstances. The first thing that is not followed properly is training related to awareness of information security issues while other thing is related to appropriate physical security controls which must be in place for access to offices involved in information processing and handling. In the case different vulnerabilities found in the Assessment Office one by one and these have been analysed to give recommended controls for the treatment so as the level of risk for the vulnerability can be reduced or eliminated. It is not possible to eliminate/reduce all the risk associated with vulnerability due to the financial concerns. Hence that will be considered whenever any threat of the vulnerability will be analysed. II.2. Policy The ISMP policy is provided for the assignment so it will not be discussed here. II.3. Risk assessment method Risk assessment is the combined process of risk analysis and risk evaluation (source: HB 231:2000.p.3). Here the limitation of ones attention to collecting and documenting the information such as assets, threat and vulnerabilities. The magnitude of the outcomes and frequencies of certain risk will be analysed in the paper. Traditionally there are three types of risk analysis techniques. They are Quantitative, Qualitative and semi-quantitative. Each method is good for some point and fails at some point. The order of Complexity and cost of risk analysis generally increases in ascending order from qualitative to quantitative techniques. Depending upon certain circumstances a specific technique is used (Source: AS/4360:1999. Risk Management) For this paper the Qualitative techniques for the Assessment Office assessment have been used. Qualitative techniques have Several benefits such as it is quicker, less complex, encourages communication between team members, priorities risk and identifies area for immediate improvement, and it less costly as compared to Quantitative technique. II.4. Existing security status At presently the Assessment Office staff‘s computer have to comply with ITS security policies. The University of Southern Queensland is obliged to comply with standard IS18– Information Standards on Information Security which is part of the Queensland Government Financial Practices Act. The University of Southern Queensland audited on an annual basis by the Queensland Audit Office. III. Risk Analysis A simple cycle of risk management is shown below. Every organization has a central focus point for security concerns related to information systems. These Central focal points focus at all the parameters from Assess risk and determine needs, implement polices and controls promote awareness and monitor and evaluate. Figure 1-Risk Management Cycle Risk analysis has been carried out for the areas of concerns identified by the Assessment Office staff. Once reviewing and going through these areas of concerns found 6 vulnerabilities are found. These vulnerabilities have been summarised in Risk Registers tables (Appendix: VII.1. Risk registers). The tables are arranged in order of importance of vulnerabilities, which should be avoided on the priority basis. The six vulnerabilities that are identified are as follows:- V1: Gradebook system is unavailable V2: Available workstations( During peak times) V3: Wrong bar-coded label V4: Manually recording of bundled packets of assignment for marker V5: Casual Markers V6: Very occasionally assignments/exams returned via post from external markers never reach III.1. Baseline Controls “Baseline security is not a minimum level; it is the middle ground. It is a crucial position to achieve to avoid negligence, harmful litigation, and high insurance costs.” (Source: Parker 1998.p.282) The concept of adopting baseline security controls is contributing to a change in perception of security controls in many organisations. Below is the Parker’s definitions of baseline security and what he terms due care controls. “ Due care is achieved when a security control or practice is used, or acknowledged as preferred for use, when it is readily available at reasonable cost or is in regular use by many organisations that take prudent care to protect their information under similar circumstances.” (Source: Parker 1998.p.284) Here we have identified some baseline controls they are: ITS security policies IS18– Information Standards on Information Security which is part of the Queensland Government Financial Practices Act. Standards: Australia/Standards New Zealand: Information Security Management (1996). IV. Risk Treatment Risk treatment is the proportionate provision of controls. It can mitigate or eliminate risks of the organization’s operations according to suitable options. The main goal of risk treatment is to reduce risk to an acceptable level in the cost-effective manner. While treating risk we have to take care of few things such as selected controls, regulations, legislation, organisational policy, user acceptance and safety and reliability. The risk can be addressed by four ways. They are avoided, transfer, limit and accept. Avoid means eliminating the cause of the risk. Transfer refers to insurance or outsourcing some function from other organisations. Limit meant for reducing the likelihood or consequences of an event. The last way is accept that means one understands the risk and there is not any cost-effective solution that can be used so it is better to live with that. Once one has Risk Registers tables (Appendix: VII.1. Risk registers) one can check from there which threat is most affecting the Assessment Office performance. Depending upon the risk various types of controls can be selected. The six risk treatment tables that are made is:- T1: Gradebook system is unavailable T2: Available workstations( During peak times) T3: Wrong bar-coded label T4: Manually recording of bundled packets of assignment for marker T5: Casual Markers T6: Very occasionally assignments/exams returned via post from external markers never reach IV.1. Justification Various Recommended Control(s) for the vulnerabilities depending upon the Assessments Office have been identified as areas of concern. These recommended controls can be implemented so that threat risk level can be reduced. The various Recommended Control(s) for the threat in risk treatment tables are discussed below:- T1: Gradebook system is unavailable—if the gradebook system is unavailable, no assignment can be logged in or out. It happens during the periods of high load. It is a serious problem because it may cause these threats Idle-system, Delay in Assignment (logged in or out), Loss of Man-hours (Resources). These all threats can be avoided if we have provision for sharing additional load during periods of high load. This can be done by having additional system or upgrading the Gradebook system. By doing this the Gradebook system will be available at the point when high load occurs. T2: Available workstations (During peak times)—this major problem during peak times. At peak times three additional staff are employed who work with three regular staff. But the no of workstation remains same. So all the staff have to share there workstations. Sometimes they have to work on each other login for ease, because all the times they can not change there logins. Now it is a major problem which is against the ITS Security policies. This can lead threat that are Obstructions in productivity/work, security concerns, shoulder surfing. Adding additional workstations is not a cost-effective solution. So productivity/work, and shoulder surfing can not be avoided but by following ITS Security policies strictly the security concerns can be monitored. By strictly implementing ITS Security policies the level of risk for security concerns can be reduced to low. If all the staff work on there login than it will be useful for ITS department tracking any problem that happens. T3: Wrong bar-coded label—these types of vulnerability can be reduced by providing training and awareness programs regularly. Because of wrong bar coding two types of threat occurs they are delay in processing of assignment, distribution of assignments to marker for wrong course. By providing training and awareness program to student, risk level for the threats delay in processing of assignment, distribution of assignments to marker for wrong course can be reduced. T4: Manually recording of bundled packets of assignment for marker—this is again becomes a major problem when the assignment is returned to be reallocated. At presently when this happens than the entry for that have to be done in two places and often one of the entries is missed. Now this can lead to problems in many cases from payment to markers to data mismatch between handwritten folder and computer based systems. The threats that are identified here are Wrong Entry in Folders, Data mismatch in Manual and computer based systems, Loss/Theft of folder. Now by doing proper check by assessment staff the risk level for Wrong Entry in Folders can be reduced. One more thing that is suggested here that we should have entry in both places when assignment comes for relocation or the system should be automated so as the entry will be updated. We are still doing the entry manually in folders. These procedures should be done in computer based system so as proper backup of the data can be done. T5: Casual Markers—Assessment Office have several casual markers who come for picking up assignments in work premises. Because they form a large group so it is impossible for any one to recognize them. This problem can be controlled by providing identity card to these casual markers which contains information about the course for which they are picking assignments and their name etc. By providing identity card the level of risk for recognition, and rely on the person (Assessments Office) will be reduced. T6: Very occasionally assignments/exams returned via post from external markers never reach-This vulnerability can not be addressed at present because it is beyond the control of Faculty of Business at the University of Southern Queensland. It is totally depend on Australia post which is used for mailing and receiving assignments for external markers. IV.2. Security program plan Security program plan is made when all the controls are identified. In security plan one addresses a group of controls as compared to individual controls. It is not mandatory that what ever suggestion one has included in plan is going to be implemented by the management. But each can be considered for that. The various controls that are identified are Identity Card, Backup procedures, Training/Awareness, Strictly Comply ITS Security policies, Provision for sharing additional load during periods of high load, PC Usage policy (ITS Department), Physical Protection of Server (CPU), and Proper Rechecking etc. The above mentioned controls are related to ITS Security policies, ITS Department, Assessment Office and Training and awareness. Investigations Of Implementations Weeks 1 2 3 4 5 6 Provision for sharing additional load during periods of high load, Backup procedures, Physical Protection of Server (CPU) Training/Awareness, Strictly Comply ITS Security policies, PC Usage policy (ITS Department) Identity Card , Proper Rechecking By assessment Office V. Conclusion In this paper various areas of concerns have been identified that are identified by the Assessment Office of the Faculty of Business at the University of Southern Queensland. After doing risk analysis several vulnerabilities have been found present in Assessment section. The effort has been to analyse various threat and made risk registers so that risk treatment plan for the threat can be made. Also the efforts has been to propose Security program plan for the recommended controls that should be done so that the functionality of the Assessment Office improve specifically in respect to casual markers as well as in the time period when peak load occurs. The effort has been to focus only on those areas which are identified by the Assessment staff. VI. References Standards: Australia/Standards New Zealand 1996, ‘Information security management’, AS/NZS4444:1996. VII. Appendix VII.1. Risk registers Vulnerability: Gradebook system is unavailable ID: V1 Threat Existing Controls & Baseline Controls (BC) Consequence Rating Likelihood Rating Level of Risk Idle- System ITS department Moderate Likely High Delay in Assignment (logged in or out) Assessments Office Moderate Likely High Loss of Man-hours (Resources) Assessments Office Minor Likely Medium Accidental Damage ------------- Moderate Unlikely Medium Vulnerability: Available workstations( During peak times) ID: V2 Threat Existing Controls & Baseline Controls (BC) Consequence Rating Likelihood Rating Level of Risk Obstructions in Productivity/work Assessments Office Insignificant Unlikely Low Security concerns ITS Security Policies Minor Likely Medium Shoulder surfing Location of Screen Minor Unlikely Low Vulnerability: Wrong bar-coded label ID: V3 Threat Existing Controls & Baseline Controls (BC) Consequence Rating Likelihood Rating Level of Risk Delay in processing of assignment Assessments Office Minor Likely Medium Distribution of assignments to marker for wrong course Assessments Office Minor Likely Medium Vulnerability: Manually recording of bundled packets of assignment for marker ID: V4 Threat Existing Controls & Baseline Controls (BC) Consequence Rating Likelihood Rating Level of Risk Wrong Entry in Folders Assessments Office Minor likely Medium Data mismatch in Manual and computer based systems Assessments Office/ ITS department Moderate Likely High Loss/Theft of folder Assessments Office Major Unlikely High Accidental Damage ------------- Moderate Unlikely Medium Vulnerability: Casual Markers ID: V5 Threat Existing Controls & Baseline Controls (BC) Consequence Rating Likelihood Rating Level of Risk Recognition Assessments Office Major Almost Certain Extreme Rely on the person (From Assessments Office) Assessments Office Major Likely High Shoulder surfing Location of Screen Minor Unlikely Low Vulnerability: Very occasionally assignments/exams returned via post from external markers never reach Assessments. ID: V6 Threat Existing Controls & Baseline Controls (BC) Consequence Rating Likelihood Rating Level of Risk Delay in Gradebook Assessments Office Minor Unlikely Low Long delay in the finalizing of results Assessments Office Minor Unlikely Low Long delay in return of feedback for the students Assessments Office Minor Unlikely Low VII.2. Risk Treatment table Risk Treatment for: Gradebook system is unavailable ID: T1 Threat Recommended Control(s) Consequence Rating Likelihood Rating Level of Risk Idle- System Provision for sharing additional load during periods of high load Minor Unlikely Low Delay in Assignment (logged in or out) Provision for sharing additional load during periods of high load Minor Unlikely Low Loss of Man-hours (Resources) Provision for sharing additional load during periods of high load Minor Unlikely Low Accidental Damage PC Usage policy (ITS Department) Physical Protection of Server (CPU) Moderate Unlikely Medium Risk Treatment for: Available workstations( During peak times) ID: T2 Threat Recommended Control(s) Consequence Rating Likelihood Rating Level of Risk Obstructions in Productivity/work No Further control – Risk Accepted Insignificant Unlikely Low Security concerns Strictly Comply ITS Security policies Minor Unlikely Low Shoulder surfing No Further control – Risk Accepted Minor Unlikely Low Risk Treatment for: Wrong bar-coded label ID: T3 Threat Recommended Control(s) Consequence Rating Likelihood Rating Level of Risk Delay in processing of assignment Training/Awareness Minor Unlikely Low Distribution of assignments to marker for wrong course Training/Awareness Minor Unlikely Low Risk Treatment for: Manually recording of bundled packets of assignment for marker ID: T4 Threat Recommended Control(s) Consequence Rating Likelihood Rating Level of Risk Wrong Entry in Folders Proper Rechecking Minor Unlikely Low Data mismatch in Manual and computer based systems Either entry should be done at both places or system should be automated Minor Unlikely Low Loss/Theft of folder Backup procedures Moderate Unlikely Medium Accidental Damage Backup procedures Moderate Unlikely Medium Risk Treatment for: Casual Markers ID: T5 Threat Recommended Control(s) Consequence Rating Likelihood Rating Level of Risk Recognition Identity Card Minor Unlikely Low Rely on the person (Assessments Office) Identity Card Minor Unlikely Low Shoulder surfing No Further control – Risk Accepted Minor Unlikely Low Risk Treatment for: Very occasionally assignments/exams returned via post from external markers never reach Assessments. ID: T6 Threat Recommended Control(s) Consequence Rating Likelihood Rating Level of Risk Delay in Gradebook No Further control – Risk Accepted Minor Unlikely Low Long delay in the finalizing of results No Further control – Risk Accepted Minor Unlikely Low Long delay in return of feedback for the students No Further control – Risk Accepted Minor Unlikely Low Read More