Risk Analysis of the InSycure Computer System - Assignment Example

System Security Name: Institution: Date: Table of Contents Table of Contents 2 1.0 Risk Analysis to the InSycure computer system 3 1.1 Identification of assets 4 1.1.1 A sample classification for assets and their priorities 4 1.2 Determination of Risks 5 1.2.1 Asset-Weight matrix for asset prioritization 5 1.3 Application of controls 7 1.3.1 A risk-asset compliance matrix check 7 2.0 Security Plan 8 2.1 System-risk identification 8 2.1.1 A detailed sample of protection applications for InSysecure Computer system 9 2.2 Management controls 9 2.3 Operational controls 10 3.0 Disaster Recovery Plan for InSysecure computer system 10 References 12 Introduction Organizations are required to deal with complex computer and information security issues. Information systems and hardware need to be secured from threats within and outside the enterprise. It is critical that users be permitted to access only the data and information authorized to access and which is specifically customized to the amount relevant to the assignments they are assigned to. Therefore, it is vital for organizations to take necessary sets to identify, analyze and control risks that are threats to their computer and information systems based on their magnitude level of vulnerability (System Scanner, 2004). A case with InSycure Corporation, a pharmaceutical company experiencing unprecedented growth within the industry and operates on IBM mainframe that runs several legacy applications. Although InSycure Corp. has a well established networked security, but the network environment is not pretty well-managed to ensure computer and information security requirements of availability, integrity, authenticity and confidentiality. The company faces two major problems, lack of available network connections, particularly for meeting with participants and slow log in by the network administrator which hinders immediate location of infected computers due to virus attack. In this report, a Risk Analysis for InSycure computer system has been performed, a Security Plan and a Disaster Recovery Plan (DRP) have been developed for InSycure based on the identified threats or risks and their likelihood vulnerabilities. 1.0 Risk Analysis to the InSycure computer system It is important for the IT management at InSycure computer system to protect critical assets. As a result, the application for a risk assessment model based on the processes of asset assessment, threat or risk assessment, vulnerability assessment and the identification of key countermeasure options are critical in performing the risk analysis to the InSycure computer system. In this case, identification and prioritization of the information systems assets, association of the identified risks with the company’s assets as well as listing the relevant controls that could be effectively applied to mitigate the identified risks has been greatly focused on (Jopeck, 2000). 1.1 Identification of assets 1.1.1 A sample classification for assets and their priorities Description of assets priority Client systems(Windows 2000 profession operating systems, apple computers and main frame computers Essential Authentication and Authorization services Critical Environmental servers and DNS name servers Critical Network –modems, servers and routers, Network Intrusion Detection systems Critical Accounting (IBM Mainframe-Payroll server) Essential The above assets for InSysecure computer system have been identified and prioritized based on their essentiality and criticality role in the company. The categorization of assets in regard to their priority level is important for the management of InSysecure Company to identify assets that are more critical than others. From the above table, it is quite clear that Authentication and Authorization services, Environmental servers and DNS name servers, Network –modems, servers and routers, Network Intrusion Detection systems are more critical compared to Client systems and Accounting systems. 1.2 Determination of Risks In the attempt to list and categorize the risks to associate them to the identified assets, criteria have been used to determine the most critical risks. The four main criteria applied include, whether if it could be extremely expensive to fix incase of failure to work, if the risk could lead to loss critical service, high spread of negative publicity as a result of poor performance and whether it is associated with high probability of occurrence (National Infrastructure Protection Center, 2002). 1.2.1 Asset-Weight matrix for asset prioritization Probability of occurrence (scale of 0=low probability, 1=very high probability) Authentication and authorization services 1 Environmental servers-Apple computers, IBM Mainframe for accounting payroll 0 Network resources-servers, routers and modems 1 DNS name server 1 From the above table, it can be noted that the probability of risk occurrence in Authentication and authorization services, Network resources-servers, routers and modems and DNS name server could be reported to be very high compared to Environmental servers-Apple computers, IBM Mainframe for accounting payroll departments of InSysecure computer system. Due to lack of available network connections, frustrations occur during the time for the salesperson to meet with participants. This creates vulnerability because at times he is forced to pick up cheap wires access point from his own local electronics store. It is a risk to the company because the salesperson does not seem to consider that the conference room is adjacently located to the parking lot, and thus rendering the access point vulnerable to the public. Another risk in this information and network system category of department is slow tracing of virus infected computers by the network administrator. It is important point out that a network administrator plays a critical role in ensuring the company’s resources are available to all authorized users. However, at InSysecure Corp. the reverse is true as it is reported that it is often hard for the network administrator to quickly, identify, locate and disable the switch ports of those machines infected with virus. Thus, the network process of InSysecure Corp runs is unproductive, costly and more time consuming system. 1.3 Application of controls Risk control measures for InSysecure Computer system is developed on risk-asset matrices that results in a blueprint to effectively apply relevant controls the company’s assets. Based on the compliance matrices, a more detailed-item actions can be applied to very that a given task on the system has been performed. For instance, a color-coding system becomes necessary to denote either successful or failed action on a particular line item. This will minimize the amount of time the network administrator takes to locate the infected computers whenever virus strikes the entire enterprise (Wagner & Aiken, 2000). As a result, the network administrator will at all time be quick in identifying, locating, and disabling the switch ports of those machines infected with virus rather than taking up 45 minutes checking every workstation for a probable total of 75 hours required to locate and identify the infected users. 1.3.1 A risk-asset compliance matrix check Security risks Checks( various workstations) System admin practices Fail/Ok/Caution Log in usernames and passwords Fail/Ok/Caution Data disclosure and key person dependency Fail/Ok/Caution In the above compliance matrix, the overall state of every asset will be checked in relation to the identified risks which will report that the action on the computer and network system was Ok, Failed or Caution. 2.0 Security Plan The security plan is the documentation of the structured processes planned adequately to provide cost-effective protective measures or practices for a system. It is a plan that shows the input from the management held responsible for a system such as the information owners, systems administrators, system operators and system security managers. Therefore, a system security plan is important because it describes responsibilities as well as the expected behavior of all the people who are authorized to access the system (Alberts & Dorofee, 2002). The main purpose of this security plan is to delineate an overview of the security of the InSycure computer system and describe the required controls and the critical elements put in place or planned for the system. Documented in this plan are the findings that show the weaknesses in InSycure computer system security controls expected to be corrected and improved. 2.1 System-risk identification The identified significant risk include, due to the regularly faced human-machine interaction vulnerabilities, InSycure Corporation renders its system to the risk of poor identification and authentication. The risk of lack of available networks causes frustrations whenever the salesperson is required to meet the participants. This creates another risk when the salesperson decides to pick on an inexpensive wireless access point to use without considering the principle of confidentiality to the system. It is quite clear that salesperson creates breaches for the unauthorized people or public who may find their way to the access point. The long time the network administrator takes to locate the computers infected with virus is yet another susceptible area to the InSysecure Corporation. It has been reported that it is time consuming for the network administrator to quickly identify, locate and disable those switch ports of the machines infected. This makes the process unproductive and costly. 2.1.1 A detailed sample of protection applications for InSysecure Computer system Information Type Confidentiality (High,Medium or Low) Integrity (High, Medium or Low) Availability(High, Medium or Low) Administrative Patient Privacy Act-information Financial In the above system protection requirements sections of confidentiality, integrity and availability, the sensitivity of the information type is classified to be high, medium or low. For instance, the information about patient is planed to be low, financial information is expected to be medium, while for administrative, privacy Act are planned to be high in all aspects of confidentiality, integrity and availability. 2.2 Management controls The management controls will involve risk assessment and management which will include re-application of subnet organization to the network of InSysecure computer system to install and configure the IP subnets to ensure that they are assigned to the authorized machine users, departments or locations. The issue of rules of behavior will be made available to system users prior to their accessing the system with a signature page as a way to acknowledge the receipt of the required administrative rules. A large human resources system will be developed to replace the old IBM mainframe that runs several legacy applications, including the accounting system at headquarter. 2.3 Operational controls The operational controls will involve personnel security where all positions will be reviewed for confidentiality, integrity and availability levels. This will involve answering questions related to whether users’ access is restricted to the minimum requirements expected to perform the task assigned. As a result, physical and environmental protection will be evaluated to check whether if there are factors that need to be addressed such physical access to the system, failed of the supporting utilities, interception of company’s data and the portable systems. This will enable to check the data integrity as validation controls based on the information received from the already installed virus detection and elimination software (Conklin et al. 2010). A current case for InSysecure Corporation where all its connections to the Internet are protected by firewalls and network intrusion detection systems, it will be important to have updated virus-scanning software and the central console used to project the signature updates. 3.0 Disaster Recovery Plan for InSysecure computer system Due to the regular vulnerabilities associated with human-machine interactions that InSysecure Corporation caused by consistent lack of available network connections and slow locating of the computers infected by virus, the risk issues raises concerns for the need to have a Disaster Planning and Recovery plan (DPRp) for the company. Specific computer security considerations are included in this disaster planning and recovery strategies in regard to perimeter defenses, vulnerability surveillance, patches and host configurations, virus protection, network and host-based measures (Geoffrey & Shriver, 2000). As a result, careful consideration to InSysecure computer security policy will result in greater customization as well as provide relevant details to each disaster recovery need of the company. It is important to address the computer security issues within the disaster recovery planning since it ensures efficient and successful recovery of the company’s operations. For instance, the consistent lack of network connection at InSysecure Corporation which causes frustrations during participants’ meeting with the salesperson, the slow network administrative tracing of computers infected by virus, calls for disaster recovery procedure. This will examine the various aspects of planning and implementation based on the administrative perspective, paying attention the existing network and computer infrastructure, application of backup and restoration procedure, as well as staffing and logical operations to ensure available connectivity. In conclusion, a careful consideration given to the practice of disaster recovery planning, particularly in the aspects of perimeter defense, virus protection, vulnerability scanning and cleaning, patches and host re-configurations will enable InSysecure Corporations to effectively prepare for their recovery operations in case of a disaster while ensuring that foremost threat controlling practices are kept in mind. As a result of the efficient defense-in-depth approach applied to disaster recovery planning, the management of InSysecure Corporation will ensure protective practices for their computer security are not ignored particularly in situations of recovery operation to allow business continuity. References Alberts, C.J & Dorofee, A. J. (2002). Managing Information Security Risks: The OCTAVESM Approach. Boston. Addison-Wesley. Conklin, W. et al. (2010). Principles of computer security: CompTIA security+ and beyond. (2nd ed.). New York: McGraw-Hill. Geoffrey, H. W & Shriver, R.F., (2000). Disaster Recovery. Minneapolis McGladrey & Pullen. Jopeck, E. (2000). The Risk Assessment: Five major steps to better Risk Management Decisions. Security Awareness Bulletin, 3(97), 5-15. National Infrastructure Protection Center. (2002). Risk Management: An Essential Guide to Protecting Critical Assets. Retrieved September 25, 2012 from, System Scanner. (2004). Internet Security Systems, Inc. Retrieved September 25, 2012 from, Wagner, D & Aiken, A. (2000). A First Step Towards Automated Detection of Buffer Over-run Vulnerabilities. Proceedings of the Year 2000 Network and Distributed System Security Symposium (NDSS). San Diego, CA. Read More