Historical Analysis of the Security Breach - Report Example

Information Security Name Course Name and Code Instructor’s Name Date Historical Analysis of the Security Breach Threat In information technology, threat can be defined as the danger in which vulnerability can be exploited to breach security resulting in possible harm. Threats may occur in two perspectives, which may either be intentional or accidental. When it comes to intentional, it may result from an intelligent attacker e.g. a cracker while in the case of accident, it may result from acts that are beyond human control such as malfunctioning or “act of God” e.g. tornado. The threat in this case was the hacker breaching the system and accessing thousands of personal information. These information and data are important for both the institution and also at personal level. Vulnerability Vulnerability can be defined as a weakness that can be utilised by an attacker to decrease information assurance within a system. Vulnerability brings into consideration three elements, which are a system flaw, access of the flaw to the attacker, and capability of an attacker to access the flaw. In the case of University of California, vulnerability within the university system resulted in the loose of eight hundred thousand records from the institution database. Some of the information contained in these database included staff information, faculty, and student information. Some sensitive information that posed a threat included Social Security numbers, birth dates, names and other details that play an important role when it comes to identity theft. Risk Information technology risk can be defined as any risk that is related to information technology. This is a new term, which is commonly associated with information security in that it incorporates a multitude of risks that are relevant both to the real world processes and to IT. Thus, risk is a combination of likelihood and impact in determining the chances in which an issue can occur, and its occurrence may translate into vulnerability of the asset (service), and also the value of the asset to the stakeholders. Hence, the vulnerability within the institution asset may contribute towards loose of personal information, and in this case, the loose occurred. Therefore, the risk was inherent and hence preventive measures should have been in place. Impact The impact of the vulnerability was the loose of eight hundred thousand details of the staff, students and faculty. Moreover, unauthorised persons accessed important information such as security number and birth dates. These information forms an important component in identity theft that may result in devastating consequences. In addition, the vulnerability of the institution’s information technology security and assurance section was shown has having numerous weaknesses. Even though the institution claimed information accessed was not misused, there are chances that in the future, the information can be used. Nevertheless, such threats and risks provide means in which information technology experts and the institution can use in ensuring that future threats do not occur. Out of this threat for example, resulted in formulation and implementation of anew security policy paper and plan for the institution. Security and Assurance based on PDCA Processes in Place The PDCA process incorporates Plan, Do, Check, and Act phases, in which each component deals with an important issue in ensuring security is championed. The plan phase establishes processes, objectives and procedures that are important in managing risk and ensuring that information security is improved to deliver outcome based on the organisation’s objectives and overall policies. The second aspect, Do, provides means of implementing and operating the controls, policy, procedures, and processes. The Check phase assesses and determines whether the outcome champions the views of the Plan phase. The last phase, Act, introduces the preventive and corrective actions based on the Check phase. The security and assurance team did not follow up the planning process because the breach lasted approximately a year. If the team checked whether the systems was free from threats, it could have provided an opportunity in which the threats could have been corrected in advance. Current Analysis CoBIT 4.1 Domain Control Objectives Plan and organize Strategic IT plan – the institution has clearly defined plan to ensure that its IT resources are utilized well, and also meets security requirements. Moreover, the plan utilises the weaknesses witnessed on the previous system into ensuring a comprehensive and updated approach is taken to ensure security, confidentiality, and privacy of institution’s information http://www.ucop.edu/ucophome/policies/bfb/is3.pdf Information architecture – the system architecture incorporates client/server, standalone PC-based, web-based, etc., and remote access capabilities. The information architecture is interlinked into ensuring that the students, staff, and other stakeholders can access information based on their privileges and authorisation rules http://www.ucop.edu/ucophome/policies/bfb/is10.pdf Technological direction – the university has laid out plans and directions in which the institution organizes and acquires appropriate resources. This has been achieved by documenting and assessing the requirements of the institution. Moreover, the institutional with the help of service experts such as contracts have formulated and implemented strategies that champions for information security. In addition, the stakeholders continuously assists the institution in determining the appropriate approach in which the institution can advance technologically http://www.ucop.edu/ucophome/policies/bfb/is2.pdf IT processes, organization and relationships – all the information are managed by The Regents of the University of California. The Regents of the University of California facilities effective and efficient way in which the IT resources are utilized optimally http://www.ucop.edu/ucophome/policies/bfb/is2.pdf IT investment - UC Technology Acquisition Support Group manages investments. Investment is an important component in any setting and hence it is important for the institution to investment strategically on its information technology sector. Thus, with the help of the institution, UC Technology Acquisition Support Group assists in determining the appropriate investments and advices the institution on appropriate actions to be taken Aims and directions - UC Technology Acquisition Support Group also determines and influences the aims and directions that the institution should utilise. It means that with the help of other departments, the group assists and advice the institution on the aims and directions in which the institution should take IT human resources – the university continuously informs, trains and updates the human resource on new measures and approaches that ensures that information is provided effectively http://www.ucop.edu/irc/itsec/uc/training_modules.html Manage quality - The UC Technology Acquisition Support Group manages quality. Understanding institution requirements assists the institution in determining the appropriate technology and quality standards that the institution should maintain. High standards of information technology will also directly influence the way other departments within the institution will function http://uctas.ucop.edu/ Acquire and implement Automated solutions – with the help of UC Technology Acquisition Support Group, the leadership segment plus other players ensures that automated solution and software are maintained appropriately Maintaining application software – the application software is usually maintained by the maintenance section of IT department. The IT department is required to frequently maintain and update software based on the laid down procedures and directions Maintaining technology infrastructure – The UC Technology Acquisition Support Group maintains and manages the technological requirements of the institution. The group ensures that required and applicable resources are obtained within a given timeline http://uctas.ucop.edu/ Operation and use- the IT department ensures that all human resource are able to fulfil its requirements based on the training that they receive. Moreover, the employment contractors determines obligations and duties for each of the persons who is required to fulfil certain obligation http://www.ucop.edu/irc/itsec/uc/training_modules.html Procurement of IT resources – before the university purchases any product or service, the university provides Request for Information that aims in defining the recent and applicable resources this will be followed by other measures that ensures appropriate resources are obtained http://www.ucop.edu/ucophome/policies/bfb/is10.pdf Manage Changes – Changes are inherent in any IT system and should be approached in a manner that does not inhibit provision of services. Thus, changes should be conducted based on planned directives and supervised by the appropriate authority http://www.ucop.edu/ucophome/policies/bfb/is3.pdf Installation of solutions and changes – third party service providers and the institution comes together into defining, selecting, and utilizing appropriate resources that ensures the institution operates efficiently http://www.ucop.edu/ucophome/policies/bfb/is3.pdf Deliver and support Manage service levels –Service level differ within and between departments within different sectors of the institution. Moreover, since there are numerous campuses, the service levels should be high to ensure that quality is maintained. Thus, each department determines how their information technology equipments operates and with the help of IT management leaders, the leaders determines whether the service levels should be changed or not http://uctas.ucop.edu/ Manage third party services – all third party services are managed by the providers, and also they ensure it conforms with federal and state laws http://www.ucop.edu/ucophome/policies/bfb/is2.pdf Moreover, these parties enters agreements that includes satisfactory assurances http://www.ucop.edu/ucophome/policies/bfb/is3.pdf Manage performance and capacity – the institution is determined in ensuring every stakeholder understands the importance of the IT services, ensuring information is disseminated effectively, and ensuring that goals and objectives are aimed at Ensure continuous service – the training and human resource plus the appropriate security ensures that the university offers continuous service. Moreover and based on the security plan, the strategies in place ensure that business continues even if there are some complications that are in place http://www.ucop.edu/ucophome/policies/bfb/is3.pdf System security – some of the important components that are championed by the institution information security include integrity, availability, and confidentiality. If these three components are encouraged, the information security within the institution will deliver the requirement aims and objectives http://www.ucop.edu/ucophome/policies/bfb/is2.pdf Allocation of costs - The UC Technology Acquisition Support Group allocates the costs and determines which resources should be acquired. Moreover, the group determines the best means in which these resources are also utilized http://uctas.ucop.edu/ Educate and train users – the institution trains and informs all stakeholders on means in which they will continuously use and appreciate the importance of security while using the university IT resources. This means that the users and staff are informed on risks associated with the service and also means in which these risks can be avoided. http://www.ucop.edu/irc/itsec/uc/training_modules.html Management of incidents – Incident Response Team that incorporates different experts on their fields ensures that incidents are managed appropriately. If any incident is reported, the team comes and addresses the issue accordingly. Hence, incidents are managed approrpiately within a given time http://www.ucop.edu/irc/itsec/documents/uc_incidentresp_plan.pdf Management of configuration – each campus has its Campus Implementation Plan that contains information on management, incident report, and mitigating strategies. http://www.ucop.edu/ucophome/policies/bfb/is3.pdf Manage problems – Incident Response Team manages any problems with the help of different departments within the institution http://www.ucop.edu/irc/itsec/documents/uc_incidentresp_plan.pdf Manage data – data accessed should be documented for future references. This is achieved through the use of logs document, password and user identification. Thus, access of data should be restricted http://www.ucop.edu/irc/itsec/uc/LogManagementGuidelines-2006-05-01.html Manage the physical environment – the campus and other parties that are involved with running the institution manage the environment. These include the security staff, the management of the institution, the students within the institution, and other stakeholders within the institution. http://www.ucop.edu/ucophome/policies/bfb/is12.pdf Manage operations – the operations are managed by Information Security Officer (ISO) who is responsible for any activity that occurs within the IT sector within the institution. The officer helps in formulating and implementing appropriate structures ensuring that the business is successful http://www.ucop.edu/ucophome/policies/bfb/is3.pdf Monitor and evaluate Monitor and evaluate IT performance – some of the important determinants of security comprises of security objectives that incorporates integrity, confidentiality, and availability, and security impact that includes low, moderate and high. All these informations are clearly defined on the risk assessment form http://www.ucop.edu/ucophome/policies/bfb/is2.pdf Internal control – the institution has employed incident response planning and notification procedures that ensures any intended breach is reported instantly http://www.ucop.edu/ucophome/policies/bfb/is3.pdf Ensure compliance with external environments – the departments that is involved with IT sector ensures that all stakeholders follow defined procedures based on numerous documents provided http://www.ucop.edu/irc/itsec/documents/uc_incidentresp_plan.pdf Provide IT governance –the governance structure ensures the network system and infrastructure operates well based on the laid down plans http://www.ucop.edu/irc/itsec/documents/uc_incidentresp_plan.pdf ISO17799 Section Actions in place 5. Security policy management The institution has clearly defined information security policy http://www.ucop.edu/ucophome/policies/bfb/is3.pdf 6. Corporate security management Internal security organization – the institution has internal measures that are guided by a group of experts that is aided by Internal Security Officer Control external party – the institution has clearly defined procedures of recruiting third party agents, and means in which security is championed internally. Moreover, all the rules are based on terms on the contracts, and other laws such as federal and state law 7. Organisational asset management Responsibility of assets – all the assets within the institution is managed by Regents of the University of California facilities effective and efficient way in which the IT resources are utilized optimally http://www.ucop.edu/ucophome/policies/bfb/is2.pdf 8. Human resource security management Security before employment – the employees are informed of importance of security, privacy and confidentiality on their roles within the organisation. This is achieved through the use of contracts and other measures that places the employees within legal and ethical environments http://www.ucop.edu/irc/itsec/uc/training_modules.html Emphasis on security – continuous education and training has ensured that the employees are update on current security measures and appropriate measures that ensures for security Termination of employment – employees are given passwords and usernames, and also access is limited to their functions within the organisation. When the employment is terminated, the employees access preferences are removed: this is clearly defined when the employees are employed 9. Physical and environmental security management Security – all the campuses are protected and CCTV cameras are placed strategically that ensures only authorised person can access certain premises. Moreover, other measures such as perimeter walls, control of room determines access to specified persons http://www.ucop.edu/ucophome/policies/bfb/is3.pdf Protection of equipments – there should be clearly defined reasons why equipments should be moved, and it requires authorisation. Moreover, measures such as utilising only equipments at their locations ensures that the resources can be protected while those moved can be tracked easily 10. Communications and operations management Establishment of procedures and responsibilities – Responsibilities and operations are defined in that specific persons are allowed to access any information. In addition, procedures are in place that ensures activities are completed based on laid down procedures Control of third parties – laid down procedures are in place that determines different responsibilities of third party service providers. These agreements are based on federal, institution and state laws http://www.ucop.edu/ucophome/policies/bfb/is3.pdf Future planning – it is the responsibility of UC Technology Acquisition Support Group to ensure that the IT department within the institution is strategic. Strategic plan includes analysing the way in which the institution operates and means in which this operation can be improved. Thus, future planning is inherent in the way the institution operates Protection against malicious and mobile code – measures are in place that ensures the information is protected against these risks. This measures includes the use of antivirus, confidentiality in access code, and other means in which unauthorised persons are not allowed to access the information http://www.ucop.edu/irc/itsec/uc/LogManagementGuidelines-2006-05-01.html Back up procedures – there are clearly defined procedures ensuring that information is protected Protection of computer networks - defined measures are in place that ensures that computer network are protected both physically and remotely Management of media – system documentation and management of movable media are in place that ensures for security Protection of information exchange - information before being sent is encrypted, and agreements are in place that champions privacy http://www.ucop.edu/irc/itsec/uc/LogManagementGuidelines-2006-05-01.html Protection of electronic commerce services – no defined measures in place Monitoring information processing facilities – recording of logs and other measures that determines logging are in place Information access control management Information access control – there is a policy that defines and determines access of information http://www.ucop.edu/irc/itsec/uc/LogManagementGuidelines-2006-05-01.html Management of access- measures are in place that determines access of information http://www.ucop.edu/irc/itsec/uc/training_modules.html Good access practices – through training and educating stakeholders, the stakeholder understand importance of passwords while other players such as human resource ensures that specified persons can access certain information Networked services access – measures are in place that ensures that networks are protected http://www.ucop.edu/ucophome/policies/bfb/is3.pdf Operating systems , application software - all these type of information are protected based on their sensitivity level 12. Information systems security management Identification of information system security requirements – security control and requirements are in place that determines the way in which security is championed http://www.ucop.edu/irc/itsec/uc/training_modules.html Cryptographic controls and organisation’s system files – encryption is champion and it is commonly used in protecting sensitive information. Moreover, the database administration determines which software is installed and determines appropriate measures that ensures access is controlled for new programs http://www.ucop.edu/irc/itsec/uc/LogManagementGuidelines-2006-05-01.html Control development and support process – it is not defined clearly Technical vulnerability management – measures are in place that protects against vulnerabilities 13.Information security incident management Reporting of incidents – defined means are in place that alerts appropriate sectors that there is a breach. This system reports information instantly and appropriately Management of information security incidents and improvements – Incident Response Team main responsibility is to ensure that threats are addressed promptly Business continuity management Business continuity measures are in place that ensures services are offered continuously whatever the circumstances. In addition, the measures ensures operations are returned to normalcy within the short period possible Compliance management Legal requirements - The laws and regulations within the institution, state and federal agencies guide legal requirements – the operations of the information technology. This means that legal requirements define many things including third party agreements, employment contracts, services and products contracts, etc. Security compliance reviews – Frequent updates and review is championed within the institution that ensures that all approaches utilised by the institution is championed Controlled information system audits – frequent audits are carried out by the institution References Information Technology Services. 2012. Online Security Awareness Training Modules and Related Sources. Available at http://www.ucop.edu/irc/itsec/uc/training_modules.html UC Business and Finace Bulletin IS-10. 2001. Systems Development and Maintenance Standards. Available at http://www.ucop.edu/ucophome/policies/bfb/is10.pdf University of California Business and Finance Bulletin. 2007. IS-12 Continuity Planning and Disaster Recovery. Available at http://www.ucop.edu/ucophome/policies/bfb/is12.pdf University of California Business and Finance Bulletin. 2011. IS-3 Electronic Information Security. Available at http://www.ucop.edu/ucophome/policies/bfb/is3.pdf University of California Business and Finance Bulletin. 2011. IS-2 Inventory, Classification, and Release of University Electronic Information. Available at http://www.ucop.edu/ucophome/policies/bfb/is2.pdf University of California Information Technology Policy and Security Officers. 2006. Log Management for the University of California: Issues and Recommendations. Available http://www.ucop.edu/irc/itsec/uc/LogManagementGuidelines-2006-05-01.html University of California. 2012. Privacy and Data Security Incident Response Plan. Available at http://www.ucop.edu/irc/itsec/documents/uc_incidentresp_plan.pdf University of California. 2012. UC Technology Acquisition Support Group (TAS). Available at http://uctas.ucop.edu/ Read More