Poor Security Policies of Welco Insurance PLC - Case Study Example

 Enterprise Security Management Abstract Welco Insurance PLC has a great challenge to secure the company security. The internal audit uncovered poor security policies which had resulted in many security attacks and breaches. All the failures were analyzed and appropriate physical, administrative and technical controls have been offered to mitigate security attacks. This report investigates the challenges that Welco should overcome and the best practices that should be implemented so that it is in line with international security policies. Table of Contents Page Introduction 3 Understanding the security breach attacks 4 Implementation of suitable Measures 6 Management & Administrative Control 6 Physical Control 10 Technical Control 11 Recommendations 17 Conclusion 18 Introduction In the recent past, many organizations have increased their spending on IT security measures and technologies. The stability of the organization is one of the most important concerns for the management. Security Management is a huge challenge for many organizations as complexity and uncertainty has increased in today’s world. Organizations are well connected because of technology such as the internet. Internet access is the baseline and an indispensable primary tool in performing day to day activities in the organization. This technology also increases the risks that should be identified and necessary controls are in place to mitigate the new risks. Security Management can conflict within the organization and can pose to be a significant barrier to process and work effectiveness as the strategic goals are often in conflict with the security rules. Having to protect the organization’s assets and facilitating the employees to do their work is the greatest challenge that the security management faces. (Caralli, n.d) Dealing with system technology with complex operating work environment can be expensive and can impact the business profits. The high cost involved and non availability of the appropriate technical resources has forced some organizations not to develop security management as one of their main core competency activities. (Caralli, n.d) Security breaches can damage the company’s brand, reputation, trust and can impact the company’s performance. It is the responsibility of the business leaders to have good control and ensure the organizations safety. (The internet Security Risks Facing your Organization: Test and be Saved, n.d) The NERC control systems security working group (CSSWG) has identified some susceptibility for control systems- (Migrating the Top 10 Network Security Risks in SCADA and Process Control Systems, 2007) 1. Inadequate policies, guidelines and procedures with respect to control system and security. 2. Inappropriate wireless communication used by the employees. 3. No proper tools to detect and the maintain control systems, poor password standards. 4. No proper tools available on reporting inappropriate activities or security breach through suitable control systems. 5. Poorly designed control systems which fail to provide sufficient in-depth analysis, fail to restrict trusted access to control systems. 6. Failure to change control on software and patches. ( Migrating the Top 10 Network Security Risks in SCADA and Process Control Systems, 2007) Technical understanding of the methods used to carry out security attacks: The internet revolution has enhanced communication, collaboration and added more functionality on the web. Many organizations use websites to do businesses and promote their products. There are complications arising as Malware targeting web applications are getting very difficult to track. Attackers are able to create numerous codes and malware pieces with malicious Trojans causing malware levels to increase massively. These kinds of attacks can negatively impact the customers, data loss, corruption of systems and reduce sales. The organization must have some controls in place to ensure these attacks do not occur. To minimize the risk, development around internet security should be strengthened and any changes in the technology needs to be tested and authorised by the technology team in the organization. (The internet Security Risks Facing your Organization: Test and be Saved, n.d) A large number of security breaches happen in the work place as the employees fail to comply with the organization policies and security guidelines. 78% of the computer virus and attacks happen in the form of viruses in email attachments. Most of the cases open email attachments from unknown sources and hence the need to understand and take appropriate measures for curbing such incidence. Standardising Security Controls All the companies rely on the standard rules and regulations model known as CIA which stands for Confidentiality, Integrity and Availability. This three tier model was a largely accepted component which was used to assess the risk of sensitive information. Confidentiality: Sensitive and confidential information to be made available only to the top management and pre defined individuals. There must be restriction on using this sensitive information. Confidentiality of the information ensures that customer information, client’s financial and sensitive information is not obtained by unauthorised parties. Integrity: Unauthorised users need to be confined from the ability to make changes or amendments to the information available. The information should not be altered in any way. Availability: The information needs to be accessible only to authorised people and the information should be obtained within a stipulated time frame. The timeliness is often measured in percentage and refers to service level agreement time. Security measures Organization security is often divided into 3 basic categories which is often referred to as controls- Management and Administrative control Physical control and Technical Control (Redhat Enterprise Linux 4: Security Guide,n.d ) Management and Administrative Control: The general observation is that the majority of security breach incidents occur because of the employee’s failure to abide with work policies and procedures. It is important for the business to identify and deploy appropriate measures to facilitate employee’s compliance to information security guidelines. Employee’s information security is focused mainly on employee computer abuse (Limayem, Khalifa & Chin 1999; Anandarajan 2002, Galletta & Polak 2003). The contributing factors to employee non compliance to policies can be due to the lack of information security awareness or work pressure. .( Berinato Scott , 2003) 1. Organizational Climate It is defined as a set of attributes and beliefs, policies and procedures which are specific to a particular organization. Individual behaviour and organizational climate are important determinants in determining the working conditions of the employees. Corporate security awareness programs will help the employees understand the impact and the consequences of security breach. IT governance and security compliance is the responsibility of executive managers and business leaders as it is an integral part of the leadership and it is their duty to ensure the organization sustains and achieve its goals and objectives (Ruby, 2006) .There are 5 characteristics of ensuring effective security measures and governance: Determining clear and defined security policies and goals Specifying a framework for responsibility, accountability and integrity Alignment of company strategy to risk management and ensuring compliance Effective due diligence and external and internal audits to be conducted to ensure compliance Assuring decisions and actions are implemented through effective policies and procedures (Ruby, 2006) (Berinato Scott , 2003) 2. Business leader’s accountability: The executive leadership and management team will be held responsible with respect to organization security to its employees, shareholders and the community. Effective business governance helps in supporting with adequate financial resources, laying down stringent policies and annual review meetings. The business management team also accepts responsibility and takes ownership of the security risks related to systems, networking and securing critical information. (Ruby, 2006) 3. Security as business requirement Security management should not be seen as an expense but considered as a requirement and cost of doing the business. Maintaining security is directly aligned to the company’s goals and objectives, risk management reviews and compliance requirements. Adequate funding financial support is necessary to ensure appropriate measures are taken to avoid security breach. (Ruby, 2006) Disaster recovery plan and preparedness should also be done by the business management to ensure that the business can work even in the case of a security breach. 4. Segregation of duties Security roles and responsibilities for the executive management team such as Chief Information Officer (CIO),Chief Information Security Officer(CISO) and Chief security Officer( CSO) needs to clearly defined and should also take into consideration the segregation of duties and responsibilities (Ruby, 2006) 5. Enforcement of policies The management team and the security personnel need to ensure that the security rules are implemented through well defined policies and procedures. These policies have to be monitored and enforced by including controls and resources. (Ruby, 2006) The management team should take into consideration the design, controls, prevention, mitigation, development and implementation of the security measures. (American Chemistry Council, n.d) 6. Staff awareness and Training programs The staff and employees need to be provided with adequate training, motivation, guidance and drills which will ensure and enhance their awareness. It improves the ability to detect incidents and also helps in strengthening the overall security in the organization. Communication and exchange of information to the appropriate stakeholders helps in sharing security practices and maintaining interactions with the law enforcement officials. The employees must also be made aware of the necessity of reporting any security incidents. (American Chemistry Council, n.d) 7. Audit The organization needs to periodically audit the procedures to ensure that all the programs and processes are working and take preventive actions if necessary. Third party verification to access the potential offsite impact such as the fire fighters, insurance auditors and state government officials. This is done to confirm that the measures and the controls are implemented. (American Chemistry Council, n.d) 8. Continuous improvement The companies need to seek continuous improvement in all the divisions. The organization will be tracking the controls on a periodic basis, measuring and improving the security to keep the financial property, assets, information and technology more secure. Best practices between different companies are also shared so that the awareness and effective security practices are undertaken. Due to the rapid development in the security issues, the management needs to keep updating themselves with the latest security measures available. (American Chemistry Council, n.d) Physical Control Physical security controls can be implemented to prevent unauthorised access to sensitive and confidential information. It is through the physical controls that the organization gains access to facilities, information and system. (Tom Olzak, 2009) 1. Data backup The most important task of the security management is to ensure that all the data and information that is performed and stored have proper backups of critical business data. If there is any facility or system failure, the only way to retrieve and recover information is through this activity. There are 3 types of backups- full, incremental and differential. A full backup provides the fastest restore time and it basically copies all the files and data from the production server to the backup media. An incremental backup copies all the files that have changed since the last backup run. Differential back up restores the data prior to the system failure day. The data should also be encrypted if sensitive information is copied. (Tom Olzak, 2009) During the audit, one of the failures highlighted for Welco is lack of data back ups which had resulted in huge loss of data. The company need to ensure that the backup are taken for all critical business data. 2. Security guards Security guards provide control and add value to avoid trespassers. There is cost associated with deploying security guards but if they are not present, it can negatively impact the business because of physical intrusion. Closed circuit TV surveillance can also be activated in all the important locations to ensure only authorised people are let inside the facility (Tom Olzak, 2009) Welco should also have security guards deployed in the facilities to ensure the identity cards are checked of all the employees and any suspicious people entering the premises are questioned. Good Security policies will help the company in having better control of data loss or theft. 3. Biometrics Biometrics is a unique security control which helps in identifying authorised personnel. There are many physical qualities that can used to uniquely identify the person which includes retina, voice patterns, signatures and thumb prints. Although this has been improving significantly in the last few years, the success of this depends on the resistance to counterfeiting, reliability and data storage requirements. Welco should also install biometrics security control for entering the work premises. This will also ensure only authorised persons are entering the facility. Technical Control Technical controls focuses on Information technology systems and these controls provide protection from unauthorised access. They help in facilitating ad detecting security breaches and violations. 1. Malware It is believed that 21% of the malware is written in China. There are various techniques and ways to evade detection by anti malware products and the most successful technique is server side polymorphism. It helps the code on the web impossible to identify the mutation engine. There are other techniques such as encryption, obfuscation which changes the codes automatically. (Security Threat Report ,2008) There has been significant advancement in the field of technology particularly towards detection techniques. To combat these attacks, the security management installs spy ware as a method to stop these unknown malware from getting into the work system. (Security Threat Report , 2008) Fire wall is also the one of the most used to defend the corporate networks from getting system attacks. Firewalls protect organization networks from the public networks to which it is connected. Firewall can be a router that filters the information received. Another technical control can be in the form of user authentication which means that the users need to enter a password from a digital key to access the computer. The user authentication can be integrated into the firewall. This is a very effective control if every user is provided with a digital key to enter the password; the users are encouraged to change the password periodically. 35% of the organization encourages their employees to change their passwords periodically and 40% of the enterprises do not wish to change the password set. (Dereje & Zheng, 2003) Below is the statistical data of the implementation of the firewall technology across organizations. (Dereje & Zheng, 2003) There are varieties of security tools apart from developing firewalls and user authentication such as data encryption, digital certificated issued to the employees, intrusion detection systems (IDS), installing antivirus software, virtual private networks (VPN) and having extranets. Therefore the organization needs to opt for the best method to protect the company from illegitimate access and security breach. These proactive methods will help the company to be more efficient and competitive in the market. (Dereje & Zheng, 2003) Welco also need to ensure that the latest antivirus software and firewall protection is installed in all the desktops and laptops so that illegitimate access by any attackers can be tracked and controlled. 2. Disaster recovery planning The disaster recovery planning should be done by the senior management. Implementing recovery plans help to secure data and systems which are very critical to businesses, suppliers and clients. Previously only the financial, health and government sectors possessed business continuity plans in case of any disasters but now it is practiced throughout all the types of businesses. All organizations are requested to create, maintain and document a process for emergency and disaster management and internal disasters. This documentation should specify how confidential and sensitive information will be safeguarded and resume daily activities while dealing with the emergency. (Keeping people and information Connected, Sungard Availability Program, n.d ) Strategy of handling the current existing risks and the proposed solutions should also be documented in the disaster recovery document. The top management needs to share the continuity strategy to the team so that the employees are well informed on the course of actions during such situations. The IT disaster recovery plan should have ways of recovering information, system, data and people and this plan involves collecting, collating and researching data to look at the best cost effective option that can be deployed during such situations. (Berinato, 2003) Before setting up the disaster recovery plan, the total cost of ownership should also be taken into consideration. The costs involved in hardware, software, staffing of people and other management overheads need to be taken into consideration. With the help of recovery requirement availability, the company can derive the true total cost of ownership which will help in determining the best option available. Data availability is a challenge during such situations. The guidelines for the organization to follow are- (Keeping people and information Connected, Sungard Availability Program, n.d ) The critical data should be identified so that the time for restoring can be reduced Conduct audits and periodic tests to ensure the data is recoverable Integration of data security controls with the continuity plan The alternate location should also be identified during such situations. This identified location should have the appropriate technology, system access, phones and other facilities that allow the business to flow as usual. (Keeping people and information Connected, Sungard Availability Program, n.d ) The escalation matrix should also be created so that the employees know whom to contact and what steps need to taken in case of such emergencies. (Roger & Butler, 2006) 3. Antivirus Measures For a virus infestation, the rate of replication exceeds the rate of removal. The organization needs to ensure that the DOS based file viruses are controlled by having central reporting point. The users must be instructed the things to do and not to do to safeguard the security such as not to open any suspicious emails from unknown source. To stop the virus infections coming to the work computers, all the incoming emails to be checked through the scanning software which will alert and identify any virus. The antivirus software includes automatic screening and centralized reporting and have specific system to cleanup the infected virus. (Roger & Butler, 2006) 4. Intrusion Detection Another anti virus software is the intrusion detection system as it is easier to prevent these attacks. Example of intrusion detection is detecting phone cloning and fraud done by the banks. The stock market and other financial active areas have intrusion detectors which will help in looking for suspicious transactions. This is one of the best developing security controls in corporate and government attacks (Roger & Butler, 2006) 5. Risk Mitigation Risk mitigation plan will help in reducing the network and system vulnerabilities and help the company in being proactive and avert attacks. There are 5 phases that the company needs to develop for establishing the risk mitigation plan. (a)Vulnerability analysis The business needs to research and gather information regarding security requirements and client demands for the existing work. The existing designs are reviewed to identify the internal and external vulnerabilities and this need to be documented in the analysis report. (b)Network security The business needs to prepare a security architecture document which should specify the monitoring, detecting process. In case of any future expansion and development the business should also identify any risks involved. (c) Implementation plan On the basis of the requirements, monitoring and detection factors are defined and the security implementation plan is provided to the business for review. (d) Predeployment phase The business needs to create a testing plan to check and verify and the results should be validated to ensure it matches the required results. Once the testing is successful, the same is worked into the production environment. (e) New configuration and final testing The configurations are deployed and set up in the production environment and a final testing is done to confirm and check the effectiveness of the changes. (Security Assessment and Risk Mitigation, 2010) 6. Email Management The internal audit for Welco also raised concerns over the functionality and usability of the network; the company need to ensure additional storage capacity, mail servers and should have policies restricting the email retention. An effective antidote is employees should be requested to achieve their emails on a regular basis. It helps the data to be compressed which in turn reduces the physical storage requirement. Short cuts can also used to replace the original emails which will again reduce the storage requirements. Recommendations Best Practices that can be adopted by the organizations For protection of data, firewall configuration should be installed and maintained Access restriction to all financial and confidential data by business Updating anti virus software regularly in all the systems Encrypt transmission of sensitive, confidential, customer and client data across all the public networks used Develop and maintain secure systems and applications in all the offices Physical access restriction to financial and sensitive information Unique ID provided to each employee with computer and laptop access Testing of security systems and processes to be done on a regular basis at all the office branches (Best Practices for Security Measures for Protecting Personal Information, 2008) Area penetration test can highlight the areas of weakness and the results can provide information to take necessary measures for the organization to combat risks. (The internet Security Risks Facing your Organization: Test and be Saved, n.d) Best practices of Physical and Procedural security measures Fax machines and printers should be located in a secured area and all sensitive documents to be retrieved from the printer immediately. Confidential information and destruction of paper records need to be done using a paper shredder The employees passwords or PIN numbers should not be shared and only authorised individuals can gain access Encouraging clean desk policy to ensure no confidential information is exposed All electronic confidential information and CD’s should also be destroyed shredded using cross cut shredder. (Best Practices for Security Measures for Protecting Personal Information, 2008) CONCLUSION It is very essential to have basic understanding and knowledge of security awareness and the impact as it may result in serious system damage, reputation and loss of business at times. The dependence of the internet has increased for both the organization and individuals and hence the awareness to protect data from disclosure. (Dereje & Zheng, 2003) The business leaders need to ensure effective security which helps the organization from malicious activity. Many organizations are implementing risk based approach to security management. The organization’s security is established in the interaction of people, process and technology. The organization’s network infrastructure will decide the security environment. Security incidents or security breach are often can be measured in terms of the productivity loss and intangible effects include the amount of reputation destruction made to the company. In today’s world, security is the core competency for any organization. The business partners, clients, customers are demanding privacy and confidentiality of the information. To sustain this, the business leaders need to take the responsibility to ensure the security is maintained. Increase in awareness, knowledge and understanding of security is very essential for an effective approach towards governing and managing security. Literary References Applabs- ‘The internet Security Risks Facing your Organization: Test and be Saved’,[online] retrieved 27th Feb 2010 from http://www.applabs.com/uploads/app_industrycomment_the_internet_security1.pdf American Chemistry Council, Responsible Care Measures Code of Management Practices, [online] retrieved 25th Feb 2010 from http://www.americanchemistry.com/s_acc/bin.asp?CID=373&DID=1255&DOC=FILE.PDF Berinato Scott (2003), After the storm, Reform [online] retrieved from http://www.cio.com/article/32033/2010_The_Future_of_Security Best Practices for Security Measures for Protecting Personal Information (2008) [online] retrieved from http://www.cl.cam.ac.uk/~rja14/Papers/SE-18.pdf Dereje Yohannes & Zheng- Quan- Xu (2003), The current Security Awareness and Reliability in Area Enterprise Networks- Pakistan Journal of Applied Sciences, 3 (1) 17-22 Keeping people and information Connected, Sungard Availability Program,[online] retrieved 27th Feb from http://www.availability.sungard.com/Documents/Key_Considerations_For_Disaster_Recovery_Planning.pdf Migrating the Top 10 Network Security Risks in SCADA and Process Control Systems (2007) [online] retrieved 27th Feb 2010 from http://www.mcafee.com/us/local_content/white_papers/wp_cor_scada_001_0407.pdf Ruby Bayan (2006), ‘Success strategies for security awareness’ TechRepublic, retrieved 27th Feb 2010 from http://articles.techrepublic.com.com/5100-10878_11-5193710.html Roger Needham and Butler Lampson (2006), Network Attacks and Defense, retrieved 25th Feb 2010 from http://www.cl.cam.ac.uk/~rja14/Papers/SE-18.pdf Redhat Enterprise Linux 4: Security Guide, [online] retrieved 27th Feb 2010 from (Migrating the Top 10 Network Security Risks in SCADA and Process Control Systems, 2007) Tom Olzak (2009), Physical Security Controls, [online] retrieved 28th Feb 2010 Richard A. Caralli, ‘Challenges of security management’ retrieved 1st March 2010, from http://docs.google.com/viewer?a=v&q=cache:LHBMG7JhF3oJ:www.cert.org/archive/pdf/ESMchallenges.pdf+challenges+of+security+management&hl=en&gl=in&sig=AHIEtbTOE6U5o3FXJ-COAlGKbxmNKJkwxw Security Assessment and Risk Mitigation (2010), Jupiter Networks, United States of America Security Threat Report (2008) Sophos retrieved from http://www.sophos.com/sophos/docs/eng/marketing_material/sophos-security-report-08.pdf Read More