Case Study in IT Security Management - Part 5: Implementation, Maintenance, and Conclusion

Published: November 30, 2011

Maintenance should be part of any ongoing IT initiative. The Pace Heating Security Management Program includes this Maintenance Plan to help ensure the relevance of security related solutions throughout the remaining life of the organization.

Policies and Procedures

Security management and controls for Pace Heating have, as stated earlier, been somewhat lax in the past. Therefore, the development of policies and procedures is called for. The necessary policies and procedures to protect the information assets of Pace Heating are as follows:

• Acceptable Use Policy
• Strong Password Policy
• VPN Security Policy (relevant to contractors with VPN access)
• Employee No-Compete Policy
• Protection of Confidential Information Policy
• Physical Security Procedures
• Incident Response Procedures
• Vendor Remote Access Procedures

User awareness training is especially needed for the entire organization. Employees are likely to resist any implemented changes, especially in regard to access controls, so training is necessary to increase awareness and aid user understanding and acceptance of the new policies. The areas to be covered by the awareness training include general security awareness, password policies, acceptable use, and physical controls.

Standards and Guidelines

Standards help to ensure consistency across Web sites and applications’ (U.S. Department of Health and Human Services, n.d.). Standards have been implemented in the realm of the Shaffer Software application but are widely non-existent across the organization. A Standard Operating Procedure should be developed and applied to security related issues. Standard forms should be developed and used in the areas of incident reporting, user account creation, and change-management.

Guidelines provide suggestions for making decisions and would be relevant in the areas of employee’ Internet access. Employees are permitted to casually surf the web on occasion but should receive guidance to the types of content that are appropriate to retrieve from the office setting. These usage guidelines should specifically list content that should be avoided.

Change Management

Change management to the infrastructure or applications that support Pace Heating will be conducted in the following manner:

• A change request log will be established by the Office Manager to track all changes.
• All change requests submitted via change request form will be assessed to determine possible alternatives and costs.
• Change requests will be reviewed and approved by the Company President.
• The change request log will be updated to reflect current status of change requests.
• Approved Changes will be implemented and the changes documented.

Vendors who access the information assets of Pace Heating should also be held accountable for complying with change management and control procedures. Past incidents of software vendors changing production applications with no prior approval or authorization must not reoccur.

Life-cycles

The equipment and software that support the mission of Pace Heating and Air Conditioning are affected by varying life-cycles. Hardware life-cycles vary from five to ten years while the life-cycle of the main application employed by Pugh is much shorter. The effect of life-cycles on the maintenance plan deals with upgrades and change control.

The most critical portion of life-cycle management for this organization will be to enforce the change control policies and procedures on Shaffer Software, an organization that has demonstrated a position of indifference where the security procedures of clients are concerned.

Developing policies, procedures, standards, and guidelines is a worthy endeavor but employees must be made aware of the changes and how those changes affect their jobs. Employees must also agree to the terms of the newly created requirements and this is where implementation comes in. According to Heathfield (2009) the simplest method to implement policies and procedures is to gather the organization together as a group, present the planned changes, distribute the documents, and obtain employee sign-off on each of the changes.

This implementation plan would be effective for each of the proposed sections of this maintenance plan. After the initial plans have been implemented, the new documents would be contained in the policies and procedures manual for the organization and this manual would then be referenced for recurring training and employee orientations.

Pace Heating and Air Conditioning, Inc. has been successfully providing HVAC services to customers in Eastern Ohio since 1939. The organization operates in an environment of mutual trust between the employees and the organization. This environment of trust, however, has led to a relatively lax security posture and the organization should put in place some more stringent controls in practicing due diligence and due care best practices. Specifically, the lack of physical and access controls should be addressed.

Losses from major catastrophes have been somewhat mitigated by dispersing the fleet and implementing a BDR solution to protect the data. However, arrangements should be made to temporarily conduct business elsewhere in the event that the facility was destroyed.

Pace Heating should also review the organizations insurance policies and fill in the gaps between what is covered and what should be covered. Although insurance is not a disaster recovery method, maintaining the proper amount of insurance would help recover some of the losses.

While trust may be a good thing to some extent, Pace Heating has placed no restrictions on how employees may use technology and information assets while at work. Some of this trust must be redirected and some security controls put in place. The need is demonstrated for both physical and technical controls to protect the organization.

Implementing the incident handling and reporting sections of this plan would be a good first step in moving toward a more secure environment. User awareness training and the enforcement of physical and technical controls would cap a program to provide a layered security approach for Pace Heating and Air Conditioning.

Lax security controls and procedures have led to a situation that places Pace Heating in a serious breach of not providing due diligence and due care toward complying with various legal and regulatory requirements. Recent legislation mandates that certain controls be in place to protect private information and the organization is not complying with those laws and regulations.

An outside audit of the gab between Pace’s existing controls and those controls necessary for compliance is called for. The organization should then enforce the controls recommended as a result of such an audit.

As a well defined and developed program, the Pace Heating Security Management Program includes a maintenance plan to maintain the relevance of the program throughout the life-cycle of the organization. One undeniable constant for any organization is change and the maintenance plan helps ensure that the security program remains relevant in the face of ongoing changes.

• Case Study in IT Security Management - Part 1: Overview
• Case Study in IT Security Management - Part 2: Risk Analysis:
• Case Study in IT Security Management - Part 3: Risk Management Plan
• Case Study in IT Security Management - Part 4: Legal and Ethical Issues
• Case Study in IT Security Management - Part 5: Implementation, Maintenance, and Conclusion

Harris, S. (2008). All in One CISSP Exam Guide (4th Ed.). New York, NY: McGraw-Hill.

Heathfiled, S., M. (2009). How to develop a policy; write, implement, and integrate the policy.

About.com: Human Resources. Retrieved December 5, 2009 from http://humanresources.about.com/od/policiesandsamples1/a/how_to_policy_2.htm

International Information Systems Security Certification Consortium, Inc., (2009). (ISC)² code of ethics. Available from http://www.isc2.org/ethics/default.aspx

Moteff, J. (2004). Computer security: A summary of selected federal laws, executive orders, and presidential directives. Congressional Research Service. Available from http://www.fas.org/irp/crs/RL32357.pdf

Shafer’s Service Systems (2009). Integrated solutions for managing your service/contracting business. Available from http://www.shafers.com

Slater, D. (2009). Business continuity. CSO. Retrieved November 12, 2009 from http://www.csoonline.com

U.S. Department of Health and Human Services (n.d.). HHS web strategies, guidelines & guidance. Retrieved December 6, 2009 from http://www.hhs.gov/web/policies/standards/index.html

Zenith Infotech, Ltd. (2009). Business continuity for the SMB. Available from http://www.zenithinfotech.com/bdr_sol.asp