Risk Process and Security Policy - Becoming Company - Assignment Example

Risk Process and Security Policy Introduction The case scenario is based on a service company known as “Becoming Company”. The company primarily deals in developmental training as well as inspirational materials such as music, videos and books known as Drive Changes. A risk assessment for the security of the systems in the case scenario is important in the protection of the business as well as the workers from a number of potential security risks (Goodrich and Tamassia, 2011). This paper uses OCTAVE methodological approach to assess the security risks of Becoming Company with particular focus to the various information assets (both hardware and software) in the company and their operational contexts as well as the sensitivity and confidentiality of the kind of information kept on the company systems. The identified risks are analyzed based on their points of origin, storage, transportation and how they are processed. Assessment of assets Becoming company has a number of information resources and assets such as hardware, data, software and networks that play a critical role in the information management at the company. One of the critical assets at the company is a back office computer connected to a number of peripherals such as Point of sales computer, printing and faxing. Together with her three employees, Ann usually uses the back office computer to perform a number of sensitive and confidential tasks such as creating company invoices, mails and letters. One of the employees, Curly occasionally uses the back office computer surf the internet for her personal and non company related activities. Another important information resource asset the Becoming Company is a Dell OptiPlex 390 computer that the company primarily uses for keeping its sensitive accounting records like sales transactions as well as performing some of the basic office functions such as spreadsheets and word processing. The company uses Microsoft Windows 7 professional edition together with the office ensuite and systems upgrade software. On the other hand, to perform various accounting activities and track transactions, the company uses a custom program that is written in Ms Visual Basic. Net and uses Ms Access as the database. It is however worth noting that there is no file encryption system in the company and Ann relies on a free verson firewall and antivirus scanner software. The entire system at the company is configured to the internet by a local service provide using wireless network (WEP) connection which is also networked to the back office computer. Lastly, the company also possesses a small Point of Sales computer that contains configurations such as sales register, cash drawer, and transaction and tabulation software. Assessment of the vulnerability and risks of the company assets The company has put a number of hardware and software in place. These systems have different vulnerabilities and security risks particularly with regard to the sensitivity and confidentiality of the information they are used to store. According to the OCTAVE risk assessment method used in this case scenario, there are a number of potential IT security failures and loop holes in company’s system configurations that may result in the loss of information availability, confidentiality and integrity (Foreman, 2010). There are also a number of existing controls and safeguards that can potentially be minimize the chances that a threat may exploit the vulnerabilities of the company assets. The current protection system of the company has a number of weaknesses and vulnerabilities that can easily be exploited by malicious persons. For example, one of the controls that have been used by the company to protect the vulnerabilities of some of the company’s information assets is Firewalls as well as Virus scanner programs. Although firewalls are effective in auditing and screening as well as in the examination of the contents of data packets, company is only using free version virus scanner and firewall programs which are usually not very effective in ensuring system security. Consequently this has resulted in increased vulnerability of the company assets. Another important control that is currently used in the company’s protection system is data encryption. For example the wireless connection (Wired Equivalent Privacy) used by the company is encrypted and this helps in the protection of the company data during transmission. It is however worth noting that the encryption of the wireless connection used by the company does not offer an absolute protection of the existing security vulnerabilities. This is particularly because Ann has chosen her store’s phone number as her WEP password. This has significantly increased the likelihood of malicious interception of the encrypted data during transmission. Lastly, another important access system that the company uses to help protect its information resource assets is user authentication control. For example, Ann uses the basic Windows login password to protect her files from authorized access. This access control is system is however not effective as intended because Ann uses her pet Cat’s name “Fluffy” as her windows login administrator password. The password is weak and can easily be targeted by hackers. Consequently the company’s use of user authentication controls is not very effective in the protection of the vulnerability of the company assets. Assessment of the probability of damage in the event of a security incidence In the event of any security incidence at the company, there is a high probability of significant losses and damage to both the tangible and intangible assets of the company. This is particularly because the Company does not have clear security incidence handling procedures or any disaster recovery plans that can help mitigate potential losses that may arise from such incidences. In this regard, it would be very difficult to help the company resume its full operations in the event of a major security incidence because none of the employees to act swiftly and prevent further losses. There is also a high probability of huge loses in the event of a security lapse because the company does not have a security audit team that can undertake regular checks on the information infrastructure and mitigate potential security loopholes and vulnerabilities. For example without proper mechanisms to audit the type of web sites surfed by the employees or the kind of information they post in the internet using the company computers, the probability the security of the company may be compromised is nearly 80% (Kiountouzis and Kokolakis, 2002). This is particularly with regard to the fact that company only uses free version Firewall and AVG virus scanner which are not always very effective. Assessment of the risks One of the main security weaknesses in the protection system used by the Becoming Company is related to the hardware configuration of the company assets. For example, the Dell OptiPlex 390 computer that is used by the company to perform sensitive operations such as keeping accounting records is connected to a many other peripherals such as faxes and printers among others. Connecting the computer to many peripheral devices significantly increases the probability of the flaws as well as the unintended access points of the system. Another potential factor that has resulted in increased vulnerability of the company assets is the inadequate security awareness among the employees. Although all her employees like to tinker with computers, both Ann and her three employees do not have any basic training in computer systems management. For example, Curly, one of the employees occasionally uses the back office computer for personal surfing. This is serious security vulnerability because the employee may unknowingly expose sensitive and confidential company data to malicious content during surfing. Ann also sometimes does back ups to USB flash drives and this increases the risk of leakage of classified corporate information through the removable disks (Wijayanayake, 2009). By choosing to use her pet Cat’s name “Fluffy” as her windows login administrator password, Ann has taken a huge security risk and significantly increased the vulnerability of the company assets to security mishaps. This is particularly because anyone who knows Ann can easily guess or crack the password and access the sensitive transaction records stored in the computer. It is also a security risk for Ann to use her stores phone number as the WEP pass word because although the wireless connection is encrypted, the phone number can easily be cracked. On the other hand, the lack of file encryption system in the storage of sensitive business records and invoices at the company significantly exposes the company to the risk of unauthorized access. This is particularly with regard to the fact that the company on the free version virus scanner and firewall programs which are usually not very effective in ensuring system security. Lastly, the Company’s sensitive accounting records are also vulnerable to numerous security risks because the Company uses a custom program which may have a number of security loopholes. Conclusion In conclusion, although the company has used a number of access controls and safeguards to help improve the security of the sensitive and confidential information in the company, there are still a number of security vulnerabilities that if exploited may result in a number of tangible and intangible losses to the company. References Foreman, P. (2010). Vulnerability Management. New York: Taylor & Francis Group publishers Ltd. Goodrich, M., Tamassia, R. (2011). Introduction to Computer Security. Boston: Pearson Education. Kiountouzis, E., Kokolakis, S. (2002). Information systems security: facing the information society of the 21st century. London: Chapman & Hall. Wijayanayake, W. (2009). Computer misuse in the workplace. Journal Of Business Continuity & Emergency Planning., 3(3), 259-270.  .  Read More