Personal Computing Situation Security Assessment - Essay Example

Personal computing situation security assessment Name: Institution: Overview This is a report on a security assessment conducted on my personal computing situation with regards to the different gadgets, computers and cloud storage servers. The security assessment will be done on computing items such as home computers, personal laptops, smart phones and hard disk. An assessment will also be done on the network used at home and the cloud data space used to back up information. My computing items such as the home computer, personal laptop, phone, hard disk and even the network may be prone to different security risks as compared to and the cloud storage service. The former are prone to physical damage of hardware components and software damage while the cloud computing storage may be prone risks involving mainly of loss of data. The following are personal computing items that way are vulnerable to the security threats mentioned above. A discussion on the more likely security risk to occur will be discussed. Home computer, laptop and Smart phone These three items can be classified as computing devices due to there ability to collect data, process the data and store it as information. They all have hardware, software and data which is prone to different forms of risks as described above. Hardware can be damaged as a result of vandalism, natural occurrences such as flood or lightning strike, power surges, general degradation of computers leading to system failures or theft. These risks are imminent on the devices owned and thus a security assessment should be done to mitigate against these. These computing devices contain different software which is also prone to security risks. The main risk to software is theft or copying software illegally and intentional deletion of the software. By deleting software that performs a particular task, the user is unable to utilize the computer or device to fulfill tasks thus causing a setback to the user. Computers and other devices contains private data which should not be accessible to other people apart from the one who ones it. Unauthorized access private data is a common security risk which leads to a lot of damage to the data owner in this day and age. An example may be unauthorized access to ones personal financial information including access to bank account; this may cause one to loose their personal saving it a short period of time. Home Network and Internet Any network is prone to security risks due to the transit of data happening any time it is in use. The home network is not an exception. It is prone to security risks such as transmitting malware, spoofing, denial of service and unauthorized external access. The network and the internet provides a lot of resources but is also increases vulnerabilities due to the fact that it opens up access on the device to many other people. An attacker may use one or more methods to maliciously cause damage to data, steal data or introduce malware that affects a computer and its processing capability (Tay, 2012). Cloud storage service Security risk around cloud storage services used provides data storage space to back up data in form of folders and documents are still evolving. The security of data and software is mainly handled by the service provider. However a user with an account on a cloud storage server is expected to ensure that credentials to the account are kept secret otherwise an unauthorized person may have access to private information (Warren & Hutchinson, 2003). Normative model The normative model used for this security assessment is the AS 27002. This model is similar to the ISO 27002:2005 model which has been the recognized standard since 2005 to the data it was updated in 2013 thus introducing ISO 27007:2013 (Whitman & Mattord, 2011; QAP, 2015). Due to the fact that the computing situation under assessment is personal some of the sections under the normative model AS 27002 will not apply. The sections that will not be tackled are more applicable in an organization. However, in both a personal situation and organizational situation some sections are standard. The sections to be included in this personal situation assessment are as follows: Section 6: Organization of information security – This provides controls used in governing information in regards to internal and external parties authorized to use information. For a personal computing situation, the controls will govern against people to acess data on the home computer. Laptop and smart phone. This will also extend to the organization of information on the cloud storage space. Section 7: Asset management – This section deals with accountability of all resources using an inventory that records all assets and their location. Assets can be data, software or hardware and classification of information. Classification of information is relevant in cloud storage space and computers but it might not apply much for the phone. Section 9: Physical and environmental security – This contains controls that are protect computer hardware against malicious or accidental damage or loss of equipment. This may be overheating of the home computer and laptop, loosing equipment due to theft or vandalism and so on. Section 10: Communications and operations management – This section contains security controls for system and network management. For the personal computing situation, the home network and internet and provision of service by the cloud storage provider will be assessed under this criterion. A view on how data should be treated in transit, storage and backup will be assessed. Section 11: Access control – This section mainly focuses on access restrictions to networks, user data, operating system, software and portable devices. Section 12: Information systems acquisition, development and maintenance – This section is mainly concerned in building security while developing new applications or into existing applications. This maybe re-enforcing security on already existing applications by adding features such as digital certificates or testing software to ensure that security of data and processes is present. Section 13: Information security incident management – This section caters for anticipation of incidences by reporting and making adjustments. For a personal computing situation it is necessary to have an assessment on incidences that are likely or nearly happened and have a record of how they can be avoided or managed. The section provided below will not be used in the security assessment since they are more organization based: Section 5: Security policy – This section provides controls for the security policies in an organization. For a personal computing situation, security policies are not a very major concern. Section 8: Human resources security – This section caters for controls that revolve around employee usage on facilities. It sets controls on how joining, current and leaving employees should handle transfer of information and equipments. It is also not applicable in the personal computing situation. Section 14: Information security aspects of business continuity management – This section mainly deals with disaster planning and disaster recovery for a business to ensure business remains running in the event of a failure in a system or process. Section 15: Compliance – Organizations must comply with the set legal constraints in data and information handling, copyrights, cryptography restrictions etc. This section provides controls that are used to assess compliance to the legality in the different domains. Summary of tasks on review The review touches on several aspects of security assessment applicable sections of the normative model AS 27002 used for the review. In summary, the tasks performed in the review were mainly in regards to the home environment and the people who have access to my personal computing items and data. The following are some of the activities done and the evidence that helped form views regarding the test: Perform and inventory of all the equipments and software available for use and where they are situated. To do this, a list of all items owned was created and any accessory that can be used was indicated. The location of the items was then recorded Check classification of data and determine if it is private and public. This was done by checking if data is properly organized and labeled. Protection of personal equipment was reviews by checking if equipments are stored in a secure room or other location and that it is not tampered with from time to time. The condition of the equipment was checked to monitor tampering For services offered by a third party such as cloud storage service or the internet, the terms and conditions were reviewed to check I data protection clauses exist and what contraction to the clauses may be present. This required having the most current terms from the third party service. Protection against virus, malware and intrusion was reviewed by performing system scan using up-to-date virus scanners, monitoring firewall activities and logs. The results were then checked to provide insight into on-going activities. A user access management review was done by checking the user account available and the kind of content they expose to external individuals. User guest accounts were checked to ensure they don’t provide access to sensitive information. Although most of the tasks review did not require any tools to accomplish, some task s utilized tools as is provided below. Virus and malware scans were done using anti-virus software. The system log monitoring required tools to format the log data in a logical format The firewall settings and monitoring also required software to enable to report on the activities. Recommendations After completing the review it was observed that some adjustment may need to be done. However, some current practices indicate that security measures are being taken into account to prevent loss and damage of data and equipments. Some of the good issue that came out of the review was as follows: Protection of equipments by ensuring they are in a safe room with restricted access was in place. The door to the location of equipments is always locked if the room is not in use Inspection of tampered hardware is done once is a while to ensure no one has had access to it or caused intentional or accidental damage to it. Reading the terms and condition before accepting use of a service. Currently, there is use of a strong password to restrict access to personal user accounts on different devices owned and services used as provided by the third party service providers. A routine update of anti-virus software and regular scan of the system is done to ensure the system is not affected by malware. However, there are some bad issue that came out of the review that may need to be addresses and they are as follows: There is no inventory of the items owned including all computer equipments, accessories, purchased software and so one. This may contribute to loosing the items due to lack knowledge of whom has them or where they are. An inventory should be created immediately Data, files and folders are not properly label and put in private and public locations in the system. This may lead to unintended or malicious breach of privacy by other individuals. The network was not secure due to lack of proper firewall settings and monitoring. The setting need to be done and monitoring commenced immediately Guest accounts have not been created thus running a risk of loosing private information if in case the computers or smart phone is lent to someone. User accounts need to be created for guest users and user access management implement. Methodology reflection The model touches on almost all aspects of a security review necessary for a personal computing review situation. In my opinion, the security review has targeted the right issues in my current situation. The controls provided in the current review may be sufficient for my situation personal computing situation but may be lacking for other kinds of individuals that have more complex systems in their possession. The review material provided is fairly simple to use for any individual with a strong IT background. It is sufficient to ensure that they review the basic security risks that may affect their systems. References QAP 2015, ISO 27002 - Best practice on information security management, viewed 07 May, 2015 http://www.qualified-audit-partners.be/index.php?cont=749&lgn=3 Tay, A (2012) 28 Types of Computer Security Threats and Risks viewed 07 May, 2015 http://www.itscolumn.com/2012/03/28-types-of-computer-security-threats-and-risks/ Warren, M & Hutchinson, W 2003, A security risk management approach for e‐commerce, Information Management & Computer Security, Vol. 11 Iss: 5, pp.238 - 242 Whitman, ME & Mattord, HJ 2011 Management of Information Security, 3rd Edition, Cengage Learning Appendix Control Comment about the evaluation taken Tests recommendation 6.1.1. Create a personal a framework for information security for a personal situation This will require relevant people to have access to information relevant to them Generate a framework and provide it to people accessing devices and networks communicate the framework to users of computing devices and network 7.1.1. All equipment should be accounted for and the location indicated. This includes, the home computer, laptop, network equipments, hard disk and any other item owned An inventory list on excel worksheet can be generated to record all assets available The list should show where all items are and if borrowed, by whom. Account for all items available and get current location regularly, e.g. weekly. Introduce a borrow-lend policy of computing items especially the portable items such as hard disk 7.2.1. Properly label information on computer and cloud storage to ensure it is clear that it shouldn’t be accessed. Labeling data may not prevent unauthorized individuals from trying to access it. This data may need some extra access control such as password protection so that its well protected Check that files of private content are put in order (single folder) and labeled as private. Information that is not very private should also be classified an properly labeled to avoid accidental private information leak Ensure that the labels clearly indicate the content of information 9.1.1. Introduce restriction to access the location of personal computing equipment to prevent access to the infrastructure For a personal situation, this may not be as effective as in an organizational setting where people and processes are employed to ensure limited access to hardware Ensure access to room with equipment is limited by locking if not present When present in the rooms where equipments are stored, ensure you are you are aware of the people accessing the location. 9.2.1. Physical access to the hardware and network devices should be monitored especially for the home computer and home network. Laptop and smart phone should be handled with care to prevent damage Surveillance of home computer and home network devices can be introduced by using cheap camera solutions. Regular checking of hardware tampering should be done Inspection of hardware tampering from time to time and record each event Determine a pattern if any of any kind of tempering and introduce surveillance of hardware. 9.2.2. Introduce preventative measures to hardware damage and theft such as locking equipment in a secure space and introducing safe cabling measure for networks Use of lockers or safe can be a valid means of securing equipment. The hard disk, laptop and home computer can be put in a secure locker if not in use Obtain a suitable safe location to store items and regularly check for safety degradation Always store equipments if not in use to ensure less likelihood of theft 10.2.1. Check the security clauses in the third party agreement’s for services being provided by the cloud storage service and internet service provider The security clauses should indicate that personal data stored and transmitted through this services should have privacy protection protect Inspect agreements with the third party provider. Always read the terms and conditions provided y a service provider do ensure personal information will be protected at any time 10.3.1 Protection against virus and malware Protection against malware and viruses is an essential part of security risk assessment. This will help protect data from being corrupted, stolen or modified. It also protects processing capabilities of the computer Use effective anti-virus software to detect and eliminated viruses and malware in the system Update anti-virus software regularly to be able to capture viruses at an early stage before they corrupt too much information. Perform regular scan of the system. 10.5.1 Perform routine back up of information to ensure a fall back option is available This protects against loss of all the data as compared to data acquired between the last back up and failure Use computer and smart phone backup software to create back up and restore points regularly Introduce an automated back up routine to ensure you have up to date back up at any point 10.6.1 Create network security measures such as firewalls and management of private home network Use firewall settings that ensure minimal access to internal home network from the public. Use firewall software to secure private network and monitor attempted intrusions into the system Regularly check the firewall monitors to see attempted intrusions. 10.7.1 Media handling for information backed up in hard disks Information that has been stored in hard disk may cause a security breach if lost Test accessibility of information on hard disk Protect hard disk information using a password. 10.10.1 Monitor logs to determine any errors or unauthorized access within the system Web service logs and application logs on the computer provides a lot of information regarding system use Check system logs to determine any potential security breach Acquire monitoring tools to help interpret logs and monitor for system breach 11.2.1. User access management for home devices and network. Introduction of guest accounts for other users who should not be allowed to access private data in computers, smart phone and home network. The admin account should be locked and password protected Create guest account and provide limited access to content available on the system. Create user account for frequent users of the home computer and ensure all account are password protected 11.4.1 Network access controls should be put in place to avoid network breach The internet allows external users to have access to personal computers. This needs to be restricted Test network breach from external systems into personal computers and network devices Secure the computer access from external intrusions. 11.5.1. Device operating system should have restricted access to the admin alone No modification should be done on the operating system not unless warranted and authorized by the administrator of the devices Check restriction against change of operating system data Restrict permission of operating system information to other users 12.2.1 Set digital certificate on application working with remote systems Digital certificates will help in transmitting data in an encrypted format Check if application and servers that require digital certificates are accessed in a secure way Get digital certificates or create certificates that can be used to encrypt and protect data Read More