Case Study in IT Security Management - Part 3: Risk Management Plan
Published: November 29, 2011
Risk Management Plan
Like any company, Pace Heating and Air Conditioning was built on opportunity and opportunity entails risk. Some amount of risk is actually healthy for a company and enables the expansion of opportunity and the creation of revenue. Other risk, however, may negatively affect a company if the risk manifests into an incident. This risk should be managed and the Risk Management Plan for Pace Heating and Air Conditioning is summarized here.
Shafer Software provides a custom CRM application developed specifically for the HVAC industry. Pace depends on this application for most business functions including dispatching, maintaining customer contacts, inventory control, and bookkeeping. Input validation can be the source of many security flaws, such as buffer-overflows. However, the programming necessary to implement input validation is outside of the scope of control that Pace Heating has over the application.
Most repeatable entry-fields to the Shaffer’s application presently include drop down boxes for user input of common values and entry fields are checked for proper format, such as validating that numeric entries are made to numeric fields. The relationship that Pace Heating maintains with Shafer’s software remains to be one of mutual trust for the sake of process improvement. Therefore, when software users notice the ability to input invalid data the deficiency should be reported to Shafer’s for the purpose of implementing the necessary input validation.
Countermeasures to protect Pace Heating are necessary at both the physical and technical level. Technical security countermeasures will protect the information assets and physical countermeasures will help protect both information and physical assets of the company.
Access Control Lists and an Intrusion Detection System (IDS) should be configured on the router and firewall to limit the possibility of attacks to information assets originating from the Internet. Warnings from the IDS would be routed to the on-call engineer from the Lakota Group so immediate action could be initiated as appropriate.
Workstations running obsolete operating systems within the Pace environment should be upgraded to either Windows XP or the new Windows 7 because the older versions cannot be maintained with security fixes. The file server should also be upgraded to Windows Server 2003 because the current Windows 2000 Server will soon fall into an obsolete condition that will no longer be supported by Microsoft.
The automatic update feature of Microsoft Windows XP should be enabled on the workstations to maintain a current state of security patches for the workstation OS's; critical and important updates should also be automatically applied to the file server and NAS OS's to provide the same level of protection as that of the workstations. The antivirus and anti-malware applications running on the file server and workstations should automatically update as well to lower the possibility of successful zero-day attacks against the information assets of Pace Heating.
One of the major deficiencies of the Pace Heating Risk Assessment was the lack of physical security to protect the file server and the data that the server houses. To correct this deficiency, a server rack with the capacity to house the file server, NAS, and data-communications equipment should be installed. The rack would provide the ability to maintain the server in a locked environment and provide physical access to authorized personnel only. The rack would provide the same level of protection to the data-communications equipment and prevent tampering with network connections and console access to the router and firewall would also be limited.
HVAC technicians who work for Pace Heating have unfettered access to the facilities of the company and as such also have unrestricted access to the physical and information assets of the company. Some control is necessary to prevent the loss of physical assets. These controls would include the control of keys used to access the facility and ensuring that only authorized individuals are issued copies of keys to gain access to sensitive areas.
The truck fleet should also maintain individual inventories of the items located on each truck. The inventory should be issued by the Inventory Manager and the employee receiving inventory should sign for receipt. These inventory records will also aid in the termination process if necessary.
Incident Handling and Reporting
Security breaches are a fact of life and will occasionally manifest to test the preparedness of companies regardless of the size or stature of the organization. Incident Handling and reporting procedures guide the personnel of an organization through the process of actions to handle the inevitable occurrences when they occur. Incidents may be minor or disastrous; all types of incidents require a methodical approach to deal with the possible ramifications. This section of the Risk Management Plan specifies the particular incident handling and incident reporting procedures for Pace Heating and Air Conditioning.
There are certain signs that alert individuals that an incident has occurred or is occurring at the present time. Incidents affecting the information assets of Pace Heating would involve the network infrastructure and should be handled by the discovering party in the following manner:
- Determine the type of incident (virus infection, data theft, etc.)
- Isolate the systems involved, for virus and malware intrusions (unplug the network connection)
- Protect the involved systems from tampering (secure the area)
- Do not power down systems unless fire is involved
- Report the incident to the responsible party following the reporting guidelines that follow this section
- The responsible party will determine whether a possible crime has been committed or the system should be immediately brought back online
- Law enforcement will be notified in the event of a possible crime and the affected systems will be turned over as evidence
- If no crime has been committed then the engineer on call with the Lakota group will be contacted to immediately take the necessary steps to bring the affected systems back online
All incidents that occur and disrupt the secure operation of Pace Heating and Air Conditioning will be reported to a authoritative individual. The following guidelines form the procedure to ensure that all responsible parties are notified so appropriate safeguards will be taken.
Fire and Safety
Any employee discovering an incident involving a fire or an imminent threat to the safety of the public or another employee will first contact the locality’s emergency dispatcher by calling 911. Following the call to the emergency dispatcher, the front desk will be notified so emergency services may be directed as necessary. A fire that cannot be self-contained or other emergency that threatens the safety of any individual will prompt the immediate evacuation of the building.
Inventory or Equipment Loss
The employee discovering a possible loss of equipment or inventory will immediately notify the Office Manager. The Office Manager will determine whether there is a business explanation for the apparent loss and take the appropriate actions to account for the inventory or equipment if the apparent loss is due to a normal business function. Losses that cannot be accounted for will then be reported to the local law enforcement agency. The Office Manager will also notify the Company Treasurer and the Accountant as appropriate.
Virus and Malware Attacks
The Office Manager will be notified by the discovering employee in the event that a workstation has been infected with a virus or other malware. The Office Manager will direct the employee to isolate the system, if that action has not already been performed, and the workstation will be held for maintenance on the next scheduled visit by the Lakota Group’s System Engineer.
The Office Manager will also be notified in the event that a virus or other malware infection is discovered on the file server or NAS. In this event, however, the engineer on-call with the Lakota Group will be immediately notified so that the infection may be removed before the close-of-business on the day of discovery.
Attempts to infiltrate the Pace Heating network or infrastructure would normally be detected by The Lakota Group. Intrusions may be detected proactively by the Intrusion Detection System (IDS) or during the course of an engineer’s normal on-site visits. These incidents would be handled as necessary and reported by the engineer to the Pace Heating Office Manager, Company President, Treasurer, Accountant, and all other affected employees. Status reports, corrective measures, and preventative measures will be communicated by the engineer. The determination of whether to involve law enforcement would then be made by the company’s management team.
The first person to be notified when the discovery is made of the occurrence of a natural disaster or other event that would render the Pace Heating’ facility inaccessible would be the Office Manager, who would act as the Disaster Coordinator. If the Office Manager could not be reached then the Company President would be notified and take over as the Disaster Coordinator. The Disaster Coordinator would then activate the Business Continuity/Disaster Recovery Plan and notify the remainder of the affected employees.
Terminating an employee is a touchy situation even before the security ramifications of such an event are added to the equation. In the event that Pace Heating must terminate an employee, there are certain precautions that must be met. These precautions include the following:
- The employee’s user accounts and passwords will be immediately disabled
- The employee’s VPN connections to the internal network will be removed
- The employee must turn in all Pace Heating identification cards
- The employee must turn in all keys to company facilities and vehicles
- The employee will turn in all company supplies
- The employee will complete an exit interview during which the termination process will be documented
- The employee will be immediately escorted out of the building following the exit interview.
The termination procedure is included in the risk management plan because employees account for a large number of incidents and disgruntled employees account for a large portion of the internal risk.
Read More of the Case Study
Return to Part 2: Risk Analysis
Part 4 coming soon.
Harris, S. (2008). All in One CISSP Exam Guide (4th Ed.). New York, NY: McGraw-Hill.