ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Case Study in IT Security Management - Part 3: Risk Management Plan

Updated on November 29, 2011

Published: November 29, 2011

Risk Management Plan

Like any company, Pace Heating and Air Conditioning was built on opportunity and opportunity entails risk. Some amount of risk is actually healthy for a company and enables the expansion of opportunity and the creation of revenue. Other risk, however, may negatively affect a company if the risk manifests into an incident. This risk should be managed and the Risk Management Plan for Pace Heating and Air Conditioning is summarized here.

Application Controls

Shafer Software provides a custom CRM application developed specifically for the HVAC industry. Pace depends on this application for most business functions including dispatching, maintaining customer contacts, inventory control, and bookkeeping. Input validation can be the source of many security flaws, such as buffer-overflows. However, the programming necessary to implement input validation is outside of the scope of control that Pace Heating has over the application.

Most repeatable entry-fields to the Shaffer’s application presently include drop down boxes for user input of common values and entry fields are checked for proper format, such as validating that numeric entries are made to numeric fields. The relationship that Pace Heating maintains with Shafer’s software remains to be one of mutual trust for the sake of process improvement. Therefore, when software users notice the ability to input invalid data the deficiency should be reported to Shafer’s for the purpose of implementing the necessary input validation.

Countermeasures

Countermeasures to protect Pace Heating are necessary at both the physical and technical level. Technical security countermeasures will protect the information assets and physical countermeasures will help protect both information and physical assets of the company.

Technical Countermeasures

Access Control Lists and an Intrusion Detection System (IDS) should be configured on the router and firewall to limit the possibility of attacks to information assets originating from the Internet. Warnings from the IDS would be routed to the on-call engineer from the Lakota Group so immediate action could be initiated as appropriate.

Workstations running obsolete operating systems within the Pace environment should be upgraded to either Windows XP or the new Windows 7 because the older versions cannot be maintained with security fixes. The file server should also be upgraded to Windows Server 2003 because the current Windows 2000 Server will soon fall into an obsolete condition that will no longer be supported by Microsoft.

The automatic update feature of Microsoft Windows XP should be enabled on the workstations to maintain a current state of security patches for the workstation OS's; critical and important updates should also be automatically applied to the file server and NAS OS's to provide the same level of protection as that of the workstations. The antivirus and anti-malware applications running on the file server and workstations should automatically update as well to lower the possibility of successful zero-day attacks against the information assets of Pace Heating.

Physical Countermeasures

One of the major deficiencies of the Pace Heating Risk Assessment was the lack of physical security to protect the file server and the data that the server houses. To correct this deficiency, a server rack with the capacity to house the file server, NAS, and data-communications equipment should be installed. The rack would provide the ability to maintain the server in a locked environment and provide physical access to authorized personnel only. The rack would provide the same level of protection to the data-communications equipment and prevent tampering with network connections and console access to the router and firewall would also be limited.

HVAC technicians who work for Pace Heating have unfettered access to the facilities of the company and as such also have unrestricted access to the physical and information assets of the company. Some control is necessary to prevent the loss of physical assets. These controls would include the control of keys used to access the facility and ensuring that only authorized individuals are issued copies of keys to gain access to sensitive areas.

The truck fleet should also maintain individual inventories of the items located on each truck. The inventory should be issued by the Inventory Manager and the employee receiving inventory should sign for receipt. These inventory records will also aid in the termination process if necessary.

Incident Handling and Reporting

Security breaches are a fact of life and will occasionally manifest to test the preparedness of companies regardless of the size or stature of the organization. Incident Handling and reporting procedures guide the personnel of an organization through the process of actions to handle the inevitable occurrences when they occur. Incidents may be minor or disastrous; all types of incidents require a methodical approach to deal with the possible ramifications. This section of the Risk Management Plan specifies the particular incident handling and incident reporting procedures for Pace Heating and Air Conditioning.

Incident Handling

There are certain signs that alert individuals that an incident has occurred or is occurring at the present time. Incidents affecting the information assets of Pace Heating would involve the network infrastructure and should be handled by the discovering party in the following manner:

  1. Determine the type of incident (virus infection, data theft, etc.)
  2. Isolate the systems involved, for virus and malware intrusions (unplug the network connection)
  3. Protect the involved systems from tampering (secure the area)
  4. Do not power down systems unless fire is involved
  5. Report the incident to the responsible party following the reporting guidelines that follow this section
  6. The responsible party will determine whether a possible crime has been committed or the system should be immediately brought back online
  7. Law enforcement will be notified in the event of a possible crime and the affected systems will be turned over as evidence
  8. If no crime has been committed then the engineer on call with the Lakota group will be contacted to immediately take the necessary steps to bring the affected systems back online

Incident Reporting

All incidents that occur and disrupt the secure operation of Pace Heating and Air Conditioning will be reported to a authoritative individual. The following guidelines form the procedure to ensure that all responsible parties are notified so appropriate safeguards will be taken.

Fire and Safety

Any employee discovering an incident involving a fire or an imminent threat to the safety of the public or another employee will first contact the locality’s emergency dispatcher by calling 911. Following the call to the emergency dispatcher, the front desk will be notified so emergency services may be directed as necessary. A fire that cannot be self-contained or other emergency that threatens the safety of any individual will prompt the immediate evacuation of the building.

Inventory or Equipment Loss

The employee discovering a possible loss of equipment or inventory will immediately notify the Office Manager. The Office Manager will determine whether there is a business explanation for the apparent loss and take the appropriate actions to account for the inventory or equipment if the apparent loss is due to a normal business function. Losses that cannot be accounted for will then be reported to the local law enforcement agency. The Office Manager will also notify the Company Treasurer and the Accountant as appropriate.

Virus and Malware Attacks

The Office Manager will be notified by the discovering employee in the event that a workstation has been infected with a virus or other malware. The Office Manager will direct the employee to isolate the system, if that action has not already been performed, and the workstation will be held for maintenance on the next scheduled visit by the Lakota Group’s System Engineer.

The Office Manager will also be notified in the event that a virus or other malware infection is discovered on the file server or NAS. In this event, however, the engineer on-call with the Lakota Group will be immediately notified so that the infection may be removed before the close-of-business on the day of discovery.

Intrusion Detection

Attempts to infiltrate the Pace Heating network or infrastructure would normally be detected by The Lakota Group. Intrusions may be detected proactively by the Intrusion Detection System (IDS) or during the course of an engineer’s normal on-site visits. These incidents would be handled as necessary and reported by the engineer to the Pace Heating Office Manager, Company President, Treasurer, Accountant, and all other affected employees. Status reports, corrective measures, and preventative measures will be communicated by the engineer. The determination of whether to involve law enforcement would then be made by the company’s management team.

Natural Disaster

The first person to be notified when the discovery is made of the occurrence of a natural disaster or other event that would render the Pace Heating’ facility inaccessible would be the Office Manager, who would act as the Disaster Coordinator. If the Office Manager could not be reached then the Company President would be notified and take over as the Disaster Coordinator. The Disaster Coordinator would then activate the Business Continuity/Disaster Recovery Plan and notify the remainder of the affected employees.

Employee Termination

Terminating an employee is a touchy situation even before the security ramifications of such an event are added to the equation. In the event that Pace Heating must terminate an employee, there are certain precautions that must be met. These precautions include the following:

  • The employee’s user accounts and passwords will be immediately disabled
  • The employee’s VPN connections to the internal network will be removed
  • The employee must turn in all Pace Heating identification cards
  • The employee must turn in all keys to company facilities and vehicles
  • The employee will turn in all company supplies
  • The employee will complete an exit interview during which the termination process will be documented
  • The employee will be immediately escorted out of the building following the exit interview.
    (Harris, 2008)

The termination procedure is included in the risk management plan because employees account for a large number of incidents and disgruntled employees account for a large portion of the internal risk.

Read More of the Case Study

Return to Part 2: Risk Analysis

Part 4 coming soon.

Reference

Harris, S. (2008). All in One CISSP Exam Guide (4th Ed.). New York, NY: McGraw-Hill.

Comments

    0 of 8192 characters used
    Post Comment

    No comments yet.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://hubpages.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)