Security Risk Assessment in SCD - Case Study Example

Lecturer number Security Risk Assessment EXECUTIVE SUMMARY Implementing an IT security risk assessment is absolutely critical to the overall security posture of any organization. An effective security risk assessment can prevent breaches, reduce impact created by the realized breaches, and keep the companys name from appearing in the spotlight for all the wrong reasons. It is also a fact that regular IT security risk assessments will also enable organizations to build up a cache of historical data that can be used to effectively gauge and communicate monetary impact related to risks and, hopefully, convince upper management to take decisive action to reduce the organizations threat surface. Today’s business world is constantly changing — it’s unpredictable, volatile, and seems to become more complex every day. By its very nature, it is fraught with risk. Risk assessment provides a mechanism for identifying which risks represent opportunities and which represent potential pitfalls. Done right, a risk assessment gives organizations a clear view of variables to which they may be exposed, whether internal or external, retrospective or forward-looking. For risk assessments to yield meaningful results, certain key principles must be considered. A risk assessment should begin and end with specific business objectives that are anchored in key value drivers. These objectives provide the basis for measuring the impact and probability of risk ratings. Southern California Design (SCD) has been determined to be a Major System and has been determined to have a low security categorization. I prepared this Security Assessment Summary Report based on the security template by Stallings and Brown (Stallings and Brown, 2012, p. 454 - 475).The results captured in this report summarize the risks associated with the vulnerabilities identified during the system’s Security Test & Evaluation, Network Perimeter Assessment, PC Security, User Authentication and Access Controls, and other risk assessment activities. In determined that the company does not have the technical capability to implement a security control and the manager may have made a risk-based decision not to implement stricter security measures due majorly to the cost or feasibility of implementing the control relative to risk. 2. Organizational Context and Asset Identification 2.1 Organizational Context SCD is a company that specializes in landscape and outdoor space for commercial and condominium communities. It is rated fairly high in the regions markets. Manager and founder Mary Smith has employed a total of 7 staff, consisting of four full-time architects and three part-time employees. The firm is planning to move to a newly leased office. After this move each employee will be issued with a laptop. The new office space consists of one office (for the manager), a conference room and eight cubicles. Each employee will be allocated one of the eight cubicles and so privacy is compromised. After long discussion with the manager, the following were determined about the company: 1. The company does not have a local server. Cited reasons include the cost of maintain such a server verses hosting by a third party then accessing the infrastructure through the internet. 2. The company issues each employee with a cell phone and some employees with laptops with Skype installed for video conferencing. 3. There are plans to install Microsoft Office Suite on each laptop. 4. The entire office does not have desktop PC’s. There LAN access for which each employee plugs their laptop into an Ethernet port for internet access. 5. The manager, Mary Smith is contracting a telecom contractor to carry out the design and analysis of the office network in the new space. This contractor will use AT&T Business DSL for internet access. 6. There will be a photocopier machine and laser printer connected to the network to be accessed from anywhere around the premises. The company will not have wireless network. 2.2 Asset Identification The asset in this case is the confidentiality of personal and company information stored on the laptops. The information contains confidential data about employees of the company and the clients the company serves. If this information is stolen or compromised valuable content about SCD, it’s Staff and the clientele may be leaked. Lots of financial information about the company is also stored on these laptops. 3. Threat and Vulnerability Identification 3.1 Threat Identification The firm faces stiff completion from established similar companies in the countrywide. Each of these companies would do anything to survive and monopolize the business. If any gains access to data pertaining to SCD, they can manipulate it to cause SCD’s downfall. The employees receive different salaries and remunerations based on how well one performs at the firm and there is constant struggle to prove one’s worth. Hence, there is ongoing competition among the employees. Each would try any means to tarnish the others reputation. 3.2 Vulnerability Identification Theft of personal information and its subsequent use in identify theft caused by the lack of access control and authentication to the laptops. Once identity thieves have this personal information, they may decide to use it in a variety of ways. They may establish a new phone service or take out a loan in the victim’s name. They may apply for a credit card and then call the credit card issuer to change the postal address on the credit card account. They could then run up charges on the account but because the statements will be sent to a different address, it may take some time before the victim realizes theres a problem. Less obvious consequences could be that they file for bankruptcy under your name to avoid paying debts theyve incurred under your name. There is also the risk of loss of company information. In this case, the company may lose reputation, face government sanctions, and even get out of business. Malware infiltration to the laptops compromising the integrity of the information stored. Once this information is changed, poor decisions can be made by the management. These may involve false or inaccurate payments. Malware can also cause denial of service operations by making part or most of the information unavailable. There is easier access to the information via the internet due to lack of firewall and intrusion detection systems. Any expert hacker can readily gain this access. 4. Risk Analysis 4.1 Existing Security Controls Mary Smith loves being close to her laptop and rarely allows anybody to handle it. She walks with it to the office, has tea and lunch in the office, and has chosen a secure access password. The Windows Operating System installed comes with anti-spyware software that detects and removes common malware. It is insensitive to the most recent and advanced viruses though and requires constant updates to keep performing properly. The third –party hosting company has some credibility about data security. In the recent past though, there have been reported instances of hacking at the company. Each employee, by company rule is required to have a strong password known only by the password holder. The passwords are changed every three weeks. 4.2 Likelihood There is a possible likelihood. Mary Smith is concerned about her weight. Her Doctor advised her to jog for at least two hours daily, which she does in the mornings and evenings. During these times she has the laptop either in her car, home or office. Sometimes she leaves it on in sleep mode. There is a high chance that the laptop may be stolen and password decrypted (NIST, 2012). The company has a canteen where all the staff has their meals. During this time, all the laptops are left in the cubicles1. None of the staff carries the laptops to their homes according to company policy. The company contractss external personnel to carry out cleaning on weekends in the afternoon. 4.3 Consequence If the information on the laptop is read it can lead to major consequences. First is identity theft with serious financial implications. For starters, the thief can gain access to the bank accounts of the victims and take money from them directly. This individual can also open up credit cards in victims’ names, which can put them into debt without their spending any of the money. Another item that many identity thieves take is investments, as they can withdraw your money that has been put away for the future. 4.4 Resultant Risk The resultant risk is extreme. Since risk is a combination of likelihood and consequence, and the combination of ‘possible’ likelihood and ‘major’ consequence yields a risk level of ‘extreme’” (Stallings and Brown, 2012, p. 486) 5. Risk Prioritization and Risk Register 5.1 Risk Priority Has risk priority 1.The general principle is a higher-level risk needs to be assigned a higher priority of action (Stallings and Brown, 2012, p. 485). 5.2 Risk Register Asset Threat Existing Controls Likelihood Consequence Level of Risk Risk Priority Company and personal information in stored on the laptops Theft of information and its subsequent use in identify/data theft Passwords and Windows anti-spyware Possible Major Extreme 1 6. Risk Treatment “To protect ‘Confidentiality of personal and company information stored on the laptops’, I recommend both ‘reduce consequence’ and ‘reduce likelihood’. In reducing likelihood, SCD staff should be trained on the importance of protecting individual laptop computer. He ought to learn to always switch it off when not in use. The company should also consider hiring and IT specialist as part of the company to keep the risks in check. In reducing consequence, I recommend that SCD invests in antispyware software and hosts the website on its own server.” 7. References 1http://www.scmagazine.com/unencrypted-laptop-stolen-11000-dialysis-patients-impacted/article/319921/. Stallings, William and Brown, Lawrie. Computer Security: Principles and Practice, 2nd Edition, Pearson Prentice Hall Inc., 2012. NIST Special Publication, Guide for Conducting Risk assessments, 800-30 Revision 1, 2012. Read More