Every organization is faced with some risk or potential threat that could cause an interruption to the organization’s operations. These risks and threats can come from within or outside of the organization. To prepare for the worst that could happen, organizations must focus their attention on how to assess different types of risks to protect the organization from the possible negative effects to the daily operations. Performing a risk assessment is one of the most important steps in the risk management process (eHow, 2011).
A Risk Assessment is periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization. A risk assessment should include a consideration of the major factors in risk management: the value of the system or application, threats, vulnerabilities, and the effectiveness of current or proposed safeguards.
Many organizations perform risk assessments to measure the amount of risks that could affect their organization, and identify ways to minimize these risks before a major disaster occurs. Department of Defense Information Systems Agency (DISA) follows guidelines and policies governed by processes by which the organization assesses and manages exposure to risks. In this paper the subject to identify is the risks and potential effects associated with the areas of the organization pertaining to security, auditing, and disaster recovery.
Security is divided in three major areas: Physical security includes access to the building, offices, and the rooms housing the organization’s servers and other critical computing devices. External threats to the organization’s computing network such as hackers and malicious software. Access and permission to authorized users of the system as well as to the information.
Physical security of the DISA field office involves securing assets by means of locked doors and an alarm system for non duty hours. Employees are required to wear identification badges at all times while inside the organization’s facility. Visiting guests will be logged into the visitors log at the reception area by the individual hosting the guest. The guest will be escorted at all times while in the facility. DISA users are not authorized to take assigned laptop home unless they are protected by approved hard drive encryption software. Downloading organizational information onto floppies, CD, thumb/flash/memory drives and other portable media is not authorized without proper authorization and proper security measures are in place to protect that information.
To mitigate the threats and protect the organization’s assets and proprietary information as secure as possible a comprehensive defense-in-depth strategy has been put in place. The defense in depth strategy includes people, network, host, and application. Each of these categories contains three components when combined provide more strength to the organization’s security posture that any one component alone. Using this defense-in-depth strategy and applying tools, techniques, and methodology from all 12 components maximizes the organization’s overall security posture (Hazelwood, 2006).
People are the first line of defense for the organization’s security strategy. The organization has well defined policies and job descriptions that define roles and responsibilities of assigned personnel as related to security. The organization also has a well written security awareness training program and documented annual training by assigned personnel. The organization keeps the skills for the personnel responsible for information assurance infrastructure current with a budget for training. The organization has a well documented policy on incident response.
The network is the second line of defense. The organization has a well configured and approved firewall to protect the network architecture. The organization also employs an intrusion prevention system (IPS) to monitor traffic on the organization’s network. Virtual private networks (VPN) allow remote connection to the organization’s network when users are away from the primary facility. The organization does not employ compartmentalizing of internal servers, workstation, and wireless networks onto separate networks. This could put the organization’s entire network at risk should part of the network become compromised from a trusted source.
The third line of defense for the organization’s network is the computing host. This includes the organization’s routers, workstations, servers, and automated control systems. If an intruder breaches the first two lines of defense it is possible that security measures enabled on the host can detect and possibly prevent an incident from occurring. The DISA field office has deployed a host intrusion detection system (HIDS) that is completely separate from the network IPS.
The DISA field office performs recurring network and host audits as an important part of the organization’s security strategy. By providing detailed audit trails and archiving these audits are important building blocks for network intrusion analysis, network statistical analysis and providing historical evidence for future network audits and incidents. These audits can help the organization find vulnerabilities in the organizations network before an intruder does.
How quickly an organization can return to operational status after a disaster, fire or flood often depends on emergency planning done today. The longer an organization is not operating, the less chance the organization will survive as well as rising costs in the way of monetary losses of customer losses. Continuity of Operations Plan (COOP) is an effort to ensure an organization’s continued performance of its most essential functions during a range of potential emergencies. To be successful, a COOP plan incorporates the development of plans, procedures, and provisions for people, resources, and processes.
The DISA field office has a Continuity of Operations Plan identifies which personnel, materials, procedures, and equipment are necessary to keep the organization operating after a disaster. This plan also identifies the alternate site where the required personnel should report should the primary site not be habitable. Several deficiencies in the organization’s plan need to be addressed. First the field office does not have plans for alternate information technology (IT) resources.
This could delay the field office from performing of its most essential functions of supporting the telecommunication needs of the combatant command. The second major issue that was noted during the risk assessment is lack of testing of tape backups and offsite storage. Without testing backups to verify that the organization can restore the stored organization data there is a possibility that the data could be lost forever. This could cost the organization hundreds or thousands of man hours to recreate mission essential data from other records. Along this same premise if there is not a set of backup tapes stored offsite if the primary site is destroyed there will be no backups to restore the organization’s data.
In conclusion, risk assessment and risk managements are areas that need to be carefully documented. The DISA field office has conducted a comprehensive effort to ensure the organization has made plans to mitigate risks and threats to the organization’s network and to ensure business continuity should a disaster strike. Except for those deficiencies noted policies and procedures have been formulated and documented with buy-ins from each organizational level on the required steps to avoid and mitigate risks. Necessary training and testing of personnel involved in risk management have been implemented to ensure a successful outcome in case of disaster.
eHow. (2011). How to Do a Risk Assessment. Retrieved September 24, 2011 from http://www.ehow.com/how_2154600_do-risk-assessment.html
Hazelwood, V. (2006). Defense In Depth, An Information Assurance Strategy for the Enterprise. Retrieved on September 24, 2011 from http://www.sdsc.edu/~victor/DefenseInDepthWhitePaper.pdf
Global Finance Inc. has grown rapidly in the past years, and due to this they have gained a huge customer base. The company invested in the network designed it to be fault tolerant and resilient from any other network failures. However, although the company’s financial status has matured and its network has expanded at a rapid pace, its network security has not kept up with company growth (NIST, 2012).
GFI’s network is fairly stable as it has not experienced many outages due to network failures. Global Finance Inc. has hired three network engineers to keep up with the network growth and bandwidth demand by the company employees and the clients. However, this company has not hired any security personnel who can take care of the operational security responsibility.
The trusted computing base internal network in the Global Finance Inc. hosts the company’s mission critical systems without which the company’s operation and financial situation would suffer. The Oracle database and email systems are among the most intensively used application servers in the company. Global Finance Inc. cannot afford system outages because its cash flow and financial systems heavily depend on the network stability. This company has experienced denial of service attacks (DOS) twice this year and its Oracle database and email servers has been down at one point for over a week. Concern at hand is the recovery process required Global Finance Inc. to use $25,000 to restore its operations back to normal. Global Finance Inc. estimated the loss from these network attacks at more than $100,000 including lost customer confidence.
Hezman Technologies has been tasked to conduct a risk assessment of Global Finance Inc. for the purpose of certification, and accreditation. The Risk Assessment Report, in conjunction with the System Security Plan, assesses the use of resources and controls to eliminate and/or manage vulnerabilities that are exploitable by threats internal and external to Global Finance Inc. (NIST, 2012). The Global Finance Inc. risk assessment was conducted in accordance with the criteria described in the National Institute of Standards and Technology (NIST) and the Risk Management Guide for Information Technology Systems. The method used to conduct this risk assessment is qualitative (NIST, 2012).
The purpose of this risk assessment is to evaluate the efficiency of the Global Finance security. This risk assessment will address risks, threats, vulnerabilities, and safeguards (NIST, 2012). This Risk Assessment Report will evaluate the confidentiality, integrity, and availability of the Global Finance Inc. network architecture. Hezman Technologies will recommend security safeguards that will enable the Global Finance Inc. to make decisions about network security.
The overall mission of the Global Finance network is to host mission critical network systems. The network critical infrastructure includes support to the following clients and network devices:
* Accounting Department – Consists of 63 workstations and 7 printers.
* Loan Department- Consists of 25 workstations and 5 printers.
* Customer Service- Consists of 12 workstations and 12 printers.
* Management – Consists of 5 workstations and 3 printers.
* Credit Department- Consists of 10 workstations and 3 printers.
* Finance Department- Consists of 49 workstations and 5 printers.
The Global Finance Inc. has a requirement to provide uninterrupted services on site and remotely to employees and customers. It is the intent of Hezman Technologies to identify in detail the current risks, and vulnerabilities keeping while keeping within the standards of confidentiality, integrity, and availability.
Assess Risk &
Assess Risk &
Although all elements of the risk management are important, risk assessments provide the foundation for other elements of the cycle (Office, 1999). Risk assessments conduct by Hezman Technologies provide a basis for establishing policies and selecting cost effective techniques to implement these policies. Since risks and threats change over time, it is important that Global Finance Inc. periodically reassess risks and reconsider the effectiveness of their policies and controls that management has selected (Office, 1999). This cycle of activity, including risk assessment, is described below in an example of the risk management cycle:
Implement Policies & Controls
Implement Policies & Controls
Monitor and Evaluate
Monitor and Evaluate
Global Finance Inc.
Global Finance Inc.
Hezman Technologies will provide an overall evaluation of Global Finance’s network. This will provide a means so decision makers can take these results and understand factors that can negatively influence operations and outcomes and make informed judgments. As reliance on computer systems and electronic data has grown, information security risk has joined the array of risks that businesses must manage (Office, 1999). Regardless of the types of risk being considered, all risk assessments generally include the following elements:
* Identifying threats that could harm Global Finance and affect critical operations. Threats could include things like intruders, criminals, disgruntled employees, and natural disasters.
* Hezman Technologies will estimate the likelihood that such threats will mature based on historical Global Finance information and judgment from knowledgeable employees.
* Hezman Technologies will identify and rank the value, sensitivity of operations.
* Also provide an estimate for the most critical and sensitive assets. The potential loss or damage that could occur if a specific threat materializes (Office, 1999).
* Document results and develop an action plan.
Hezman Technologies will plan to evaluate, target, and document the entire chain of leadership at Global Finance Inc. to include employees. Some key billets to pay attention to would be:
* Global Finance Sr. Leadership, owners, and anyone who could make decisions about IT security.
* Anyone who is responsible for making final decisions on allowing operations of an IT system.
* IT program manager, and anyone “acting” as the security program manager.
* Technical support personnel
* IT application managers (Stonebumer, Goguen, & Feringa, 2002)
Once on site and analysis begins, Hezman Technologies will use the following sources and references to support risk assessment recommendations on behalf of Global Finance Inc.(NOTE: These are not the references this writer is referring to for supporting this paper):
* (NIST) National Institute of Standards and Technology Special Programs (SP) 800-27
* Engineering Principles for IT Security
* Principles and practices in NIST SP 800-14
* Generally Accepted Principles and Practices for Securing Information Technology Systems.
* Security of Federal Automated Information Resources
* Computer Security Act of 1987
* Government Information Security Reform Act of October 2000 (Stonebumer, Goguen, & Feringa, 2002).
Risk Assessment Activities Conducted by Hezman Technologies
InputRisk Assessment Activity Output