Information Systems Risk and Security - Pax Nane Company - Case Study Example

Information Systems Risk and Security. Name Number Course Code Lecturer Date Executive summary This report is a follow-up to the risk assessment report for Pax Nane Company, which outlined the anticipated risks in the organization. Consequently, the report identifies the possible strategies that can be used to address the risks inherent in the organization and their effectiveness. Risk mitigation for the identified risks at Pax Naney is achieved by implementing several controls that are aimed at different levels of risks as outlined in the report. Conventionally, all risk mitigation strategies are aimed at risk reduction, emergency planning and implementation. Therefore, this risk mitigation report identifies mitigation strategies and controls that are based on the standardised frameworks aimed at reducing the impact of accepted risks and implementing controls for the identified physical, logical and operational security threats in the organization. Based on the risk assessment of the company, the report is built on the NIST SP 800-30 information security management framework. Table of Contents Executive summary 2 1.0 Introduction. 4 1.2 Scope 4 2.0 Risk Mitigation. 5 2.1.1Business strategy. 6 2.1.2Technology options and strategy. 6 2.2.1 Prioritization of Actions. 7 2.2.2 Evaluation of Proposed Control Options. 7 3.0 Cost Benefits Analysis. 10 4.0 Select Controls 12 5.0 Responsibilities 14 1.0 Introduction. 1.1 Purpose The purpose for this report is to provide a mitigation strategy which provides proactive solutions to the risks identified in the risk assessment stage of the risk management process. The risks identified for the Pax Nane Company are crucial items that could result in detrimental impacts to the company if not adequately addressed. Consequently, this report will act as a guideline and a reference manual to the senior management as well as the technical IT staff with regard to addressing security risks in the organization. 1.2 Scope This report is aimed at performing a risk mitigation plan and cost- benefits analysis for the possible risks in Pax Nane Pty Ltd. The scope of this report is to: Identify and prioritise actions; Formulate and implement a risk mitigation plan Provide possible responses to critical risks in Pax Nane. Define responsibilities for implementing the identified controls. The risk mitigation strategy will, therefore, be based on the risk assessment report and the frameworks stipulated in the NIST SP 800-30 information security framework. 2.0 Risk Mitigation. 2.1 Risk Mitigation strategy According to Merkow & Breithaupt (2014), risk mitigation is the systematic process of identifying the possible ways of reducing risks and minimizing the impacts of identified risks. There are many options that can be used to achieve risk mitigation in the company as stipulated by the NIST SP 800 30 frameworks (Stoneburner & Feringa, 2002). Risk Assumption/ acceptance: The Pax Nane Ltd. can choose to accept the potential risk and allow operations to continue in the organization. Then strive to implement the necessary controls to reduce risks to an acceptable level. Risk Avoidance: This option involves avoidance of the risk by eliminating the cause of the risk by foregoing activities that might result in the exposure to the risk in the organization. Risk Planning: It includes identification and development of a plan to mitigate risks that prioritizes controls and subsequently implements and maintains the controls. Risk limitation: adverse impacts of a risk can be limited by implementing controls aimed at minimizing the adverse impacts of the threats. The mentioned vulnerabilities at Pax Nane Pty Ltd. in the Risk assessment report can be addressed by using preventive or detective controls. Risk transference: in situations where the risk is too severe and unmanageable, it is advisable to transfer the risk to avoid the damage that is associated with it. Physical threats like fires, floods that are unexpected and which the damage cannot be known beforehand can be managed through other options such as insurance. The choice of a particular option is determined by the level of the risk identified. Low Level Risks- acceptance or Assumption of risk. Medium Level Risks – use identified controls to mitigate the risks. High Level Risks – this kind of risk is detrimental and should be accorded high priority status. Therefore, it would require avoidance, limitation and transference options. To effectively achieve risk mitigation, Pax Nane Pty Ltd must use both business and technology options strategy. 2.1.1 Business strategy. The business strategy involves setting policies and procedures, designing an information security plan and centralization control of policies. It also involves documentation of strategies, identifying all barriers and looking for future competitor advantages and applying design principles. Finally, the strategy must consider the cost of the economic scale and economic substitution and assigning responsibilities (Verner et al., 2014). Pax Nane Ltd has for a long time overlooked the importance of information technology and the associated risks. They have overlooked the importance of factoring in the purpose of information technology in their strategic business plans. 2.1.2 Technology options and strategy. The first approach in this strategy is to establish an IT / information security director in the company who will also act as a representative of IT department in the board. As mentioned in the risk assessment report, Pax Nane Ltd has no personnel in charge of Information technology in the company. They have no representation in the board and worst of all information security issues are not considered an aspect to be discussed at the board of directors’ level. Therefore, the director will play a major role in articulating information system security issues to the senior management and board members of Pax Nane Ltd . The strategy also involves limiting the use of cloud for data storage, and if there is a need for this, then the company should develop their cloud storage. This will limit the risk of unauthorised access and loss of information (Zhang & Zhang, 2010). Information system security can further be reinforced by providing a strong network to the company. This can be done using antivirus, employing central login, using administrative controls and other network security techniques such as firewalls to safeguard the organization (Yeo et al., 2014). Other strategies include safe storage of backed up data. 2.2 Implementation of Security Controls. 2.2.1 Prioritization of Actions. This step is informed by the possible risks and threats that have been identified during risk identification and assessment (Grace & Myers, 2003). In the case of Pax Nane Pty Ltd, there are three levels of risks; High, medium and Low. Each of the levels will have different actions to mitigate them. Notably, the actions are prioritised based on the level of risk as identified in the assessment report. High risks such as fires and floods that may result in extreme impacts to the company such as loss of data and information, company assets among others, need priority actions that include; insurance policies, business continuity plans and recovery plans. Others include access restrictions, offsite back-ups and corporate policies. The table below shows prioritization of actions based on the risks identified in the organization; Risk Item Action Priority Virus Infection Secure system using antivirus High External theft of data Install firewalls High Unauthorized Access Enforce Access authorization and controls High Sabotage Enforce Access Authorization controls Medium Espionage Enforce Access Authorization controls Medium System Hacking Enforce Access Authorization controls, Use firewalls Medium Non- compliance with regulations Task legal team Low Natural Disasters Insurance policy, system back up Low 2.2.2 Evaluation of Proposed Control Options. The proposed strategies must be evaluated to determine their effectiveness and suitability in solving or minimizing the identified risk. The table below shows the identified risks and the proposed control strategy and an explanation of how the strategy is effective. Risk Mitigation Strategy Unauthorized access Establish a centralised authorization control centre in the IT department where employees are assigned Login credentials and passwords. Pax Nane has a central data centre that could easily be compromised hence requiring the use of the RSA security tokens for remote logins to enhance security. The company should also install firewalls to prevent backdoor entrances into the company information systems and the central data system. Pax Nane should establish the position of director of ICT. The IT director will define different levels of Access to different users depending on their roles in the company. Set policies regarding sensitive data and information. Pax Nane Pty Ltd is currently facing an imminent problem of unauthorised access due to its poor security of the VPN. Therefore, it is important that the company firewall is reinforced to minimize unauthorised access. Financial transaction access. Pax Nane Ltd should establish a secure connection to the servers using the https protocol and SSA authentication. Given the flaws in its VPN, financial transactions should be done through trusted and recognised financial service providers such as Paypal. Lost backup Lost backup can be experienced given the establishment of Pax’s data centre. Hence, it is advisable to maintain a strong back up in separate places that ensure availability of back up data and information. External data theft External theft such as the one experienced currently in the company is due to the presence of flaws in the network. It is important to install firewalls to prevent unauthorized digital access from remote places. Pax Nane should also enhance physical security to its buildings and office premises to prevent unauthorised access to the company premises. The company can use biometric recognition systems and check points during entry and exit of the building. It is also advisable to employ encryption techniques to prevent unauthorised access. Virus infection Pax Nane Ltd should install efficient and effective antivirus software to detect and remove viruses from the systems. Additionally, they should use firewalls to prevent remote virus infection. They should also establish policies regarding the use of external storage devices as well as BYOD. Incorrect data The company should use automated validation techniques in all its branches to ensure the correctness of data entered into the system. They must also formulate policies for data entry and access to enhance accuracy. System hacked Maintain multiple backups of the system to ensure availability of the system restore. Use encryption techniques to minimize chances of system hacking. Establish a logging system that will record all users of the system including the location and IP addresses. Finally, create internal policies that will provide guidance on the actions to be taken by employees, IT staff and the management in case of exposure to system hack. Web provider closes Have backup of site stored with backup provider and at another company-controlled location. Use established organisation with positive record and future. Internal data theft Keep records of all log activities of all employees in the system. Establish policies regarding company property and include terms of use and responsibilities of each employee particularly those interacting with data stored at the data centre. Keep track of employee access and terminate access credentials once employee is terminated. The policy should also have reference for penalties in case one commits a crime of theft in the company. Non-compliance with regulations Establish a forum where the IT department and the legal team of Pax Nane Ltd, can work together to determine all the legal requirements and ensure they are all met. Pax Nane Ltd should meet all the legal requirements and always rectify any issues as they arise. System breaks down Pax Nane Ltd should have a system backup onsite as well as offsite to ensure continuity of business activities in case of system break-down. Additionally, the IT department at Pax Nane should have a policy detailing what all employees and the management should do in the event of a system failure to minimize disruption of business activities. Incorrect use of System Pax Nane Ltd. Should maintain system back-ups (primary and secondary) and also automate validation techniques, software design methods that will limit potential for incorrect use system and encourage correct use of System. Additionally, the company should establish policies for employees and external contractors that abuse the system including penalties. Natural disaster It is difficult to secure all assets from natural disasters; however Pax Nane ltd should place sensitive information data and assets in secure location and maintain documentation. The company should also insure the most expensive and vital resources and assets in case there is a natural disaster. Third party integration The company should minimize third party integration and maintain strict policies to be used in the event of the possibility of third party integration. Going to cloud Cloud service is risky to Pax Nane Ltd in many ways. To prevent risk from cloud sit polices such as using cloud in non-important information. Otherwise create own cloud between the various branches and locations of Pax Nane Ltd. Social Media Pax Nane should provide facilities and devices to employees to prevent them bringing any personal device with them. Restrict employees using BYOD in the organization and sit as policy and procedure should there be a need for BYOD. Using Non- standard devices The company should always use standardized devices and hardware particularly network devices. Some of the standardised devices include Cisco routers among others. 3.0 Cost Benefits Analysis. Creation of Information and Communications Directors role: The creation of the position of the Information Systems director is the first step towards enhancement of system security in the company. The role of the Director will be mainly to oversee the management of information systems and security in the company. He will also be a member of the board representing the Information technology and information system requirements to the senior management of the company. Currently, Pax Nane Ltd doesn’t have an ICT manager to carry out these roles. The management and board has for a long time considered IT matters lightly. The role will oversee the management of IS security throughout the organisation. The ICT manager role will work closely with CEO, IT systems management and contracted organisations. The benefits of this role are to realise IS security initiatives and to enforce the continuation of the standards. The estimation of costs to be incurred by the company is approximately $150,000. Software security enhancement: Secondly, Pax Nane Ltd. must carry out software security enhancement. The modifications of the system security that include installation of firewalls, and antivirus software can be done in-house or outsourced. When these changes are implemented, the Pax Nane will realise improved data security and privacy. The cost is approximately $4000 for the following activities: Secure logins and password security encryption. Recording of system logging and activities of users in the system. Create different access levels to different employees. Encryption of vital and confidential documents. Restricted activities for different data to prevent unauthorised use of data. Network Security: Internal network and data security is enhanced by enforcing network security. With the current problem faced by Pax Nane Ltd, there is a need for network security to ensure secure transactions within and outside the company’s VPN. This will be achieved by: Installing stronger and more efficient firewalls. Establish secure connections to the servers in the company. It is also important to establish a secure financial transaction channels that limit third party access. The cost for carrying out these activities will vary depending on the security agents employed. The cost is approximately $1000. Information System Security Policy: Another important change that needs to be effected is the information system security policy for the organization. This change is beneficial to Pax Nane since it sets in place a policy that will ensure the company moves forward in information system security. This is approximated at $5000. Data Backup testing and Audit: We will also need to carry out data backup testing and audit to ensure that the backup integrity meets the expectations. Alternative actions should immediately be taken should the backup have any glitches. The cost for this activity is estimated at $150 per month. Hardware and physical security:Security to the system hardware and other physical resources of Pax Nane Ltd can be achieved through physical data security. The cost to be incurred is approximated at an initial cost of $2,000 and additional costs for physical security upgrade procedures. Security software: Security software is also needed to secure the company’s network from external attacks such as the one it's currently facing. Additionally, it also prevents the company’s system from infection. The cost is estimated at $2,500 per year. Data Auditing software: The company must also purchase a data auditing software to detect incorrect data entered either internally or from external sources. It is also used to detect unusual changes to data. The cost is approximately $3000 per year. Staff compliance with IS security: New staff and contracted business should be aware of the Pax Nane IS policy, therefore, the company must ensure they are compliant with the IS security policy of the company. The cost for this activity is estimated at $2000. Secondary System: Finally, Pax Nane Ltd. must set up a secondary system in case of failure of the primary system. It is beneficial to the company since it ensures continuity of business activities should there be any failure in the primary system. The cost is estimated at $5,000 per year. The total cost of implementing the Information security initiative and risk mitigation in the company is summarised in the table below: Security Control Initial Cost ($) Continuous Cost ($) IS security compliance 2, 000 - Information System Director - 150,000 Secondary system - 5,000 Security software/ service - 2,000 Data auditing Software - 3,000 Physical security 2,000 - Data backup and testing - 1,800 Network security 1,000 - Software security 4,000 - TOTAL 9,000 161,800 (p.a) 4.0 Select Controls As identified in the risk assessment report, there are three categories of risks or threats to information security in the company: Physicals security threats Logical security threats and Operational security threats. Therefore, the controls selected will address the three categories of security threats as shown below: 4.1 Technical security controls. These controls are implemented to prevent the company’s infrastructure against the possible IT security threats. These threats are mainly categorised as high priority threats. The chosen technical security controls should correspond to the defence-in-depth model. This model proposes a set of measures that are mixed to ensure maximum security. The model has several layers the ensure security of all aspects of the organisation’s information system security (Agrawal & Pierce, 2014). It ensures security of data by restricting and managing access to the sensitive organizational data. It is also concerned with data back up by providing secondary data backups. They also implement intrusion detection mechanisms. The model is also concerned with risks that could affect running applications in the system. They maintain defences such as periodic updates to applications and implementation of virus detection mechanisms. Securing operating system of the host computers against malware. Protects internal networks from external communications by limiting unauthorized access to data in the network. Enforces firewall networks that limit perimeter access to data in the network. Enhances physical security of devices and risks that are associated. The risks include the malware transmitted by USB devices. It includes the use of physical security such as doors, locks, surveillance cameras and check- points in the company premises. 4.2 Management security controls. Management security control involves the use of policies, procedures and regulations to manage and control the risks identified risks. The risk mitigation, therefore, involve establishment of policies regarding the carrying out of activities in the company. Most importantly, it involves the training and awareness of the employees on the importance of the security policies and why they should adhere to them (Ekelhart & Neubauer, 2009). 4.3 Operational security controls. The ICT director will ensure all the proposed security measures are implemented in the company. Additionally, they will ensure maintenance, monitoring and evaluation of the proposed mitigation strategies in the company. The operational security controls are preventative such as: Limit data distribution Control access to data and other resources. Control viruses. Fire damage protection. Workstation security Backup capabilities and security of IT environment. 5.0 Responsibilities Risk Responsibility Unauthorized access ICT director. Systems Administrator. ICT management team Financial transaction access. ICT director System administrator Lost backup ICT director System administrator IT technical staff External data theft ICT director System administrator IT technical staff Virus infection System Administrator IT technical staff. Incorrect data ICT director System administrator System hacked System administrator. IT technical staff. Web provider closes ICT director System administrator It technical Staff Internal data theft ICT director System administrator Non-compliance with regulations ICT director System Administrator Legal department System breaks down System Administrator It technical Staff ICT director Incorrect use of System ICT director Departmental Heads System Administrator IT technical staff. Natural disaster ICT director. System administrator Senior Management staff Third party integration ICT director Senior Management System administrator Going to cloud ICT director System administrator Social Media ICT director Systems administrator IT technical staff. Using Non- standard devices ICT director Procurement officers System administrator IT technical staff. Reference. Agrawal, M., Campoe, A., & Pierce, E. (2014). Information Security and IT Risk Management. Wiley Global Education. Alberts, C. J., & Dorofee, A. (2002). Managing information security risks: the OCTAVE approach. Addison-Wesley Longman Publishing Co., Inc.. Ekelhart, A., Fenz, S., & Neubauer, T. (2009, January). AURUM: A framework for information security risk management. In System Sciences, 2009. HICSS'09. 42nd Hawaii International Conference on (pp. 1-10). IEEE. Grance, T., Stevens, M., & Myers, M. (2003). Guide to selecting information technology security products. Network Security. Merkow, M. S., & Breithaupt, J. (2014). Information security: Principles and practices. Pearson Education. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems. Nist special publication, 800(30), 800-30. Verner, J. M., Brereton, O. P., Kitchenham, B. A., Turner, M., & Niazi, M. (2014). Risks and risk mitigation in global software development: A tertiary study. Information and Software Technology, 56(1), 54-78 Yeo, M. L., Rolland, E., Ulmer, J. R., & Patterson, R. A. (2014). Risk mitigation decisions for IT security. ACM Transactions on Management Information Systems (TMIS), 5(1), 5. Zhang, X., Wuwong, N., Li, H., & Zhang, X. (2010, June). Information security risk management framework for the cloud computing environments. In Computer and Information Technology (CIT), 2010 IEEE 10th International Conference on (pp. 1328-1334). IEEE. Read More