ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Case Study in IT Security Management- Part 1: Overview

Updated on December 4, 2011

Published: November 28, 2011

Updated: November 30, 2011

This hub is an adaptation from a case study in security management originally submitted as a term paper to fulfill the requirements for an advanced course in Information Security Management. The author presented the steps and considerations necessary to develop a security management plan for a fictitious company named Pace Heating and Air Conditioning, Inc. The plan was developed from the viewpoint of a consultant working for the Lakota Group, another fictitious company. This sample term paper demonstrates the steps necessary to develop a security management plan; no actual plan is presented in the case study, which the author presents to aid other learners in the quest to write such a term paper.

The original paper was written in APA format, however, much of that formatting was lost when converted to a module format. The paper is divided into four components because of the length of the final product. These components are:


Organization Description

Pace Heating and Air Conditioning, Inc. was established in 1939 by Richard James Pace and has been providing residential and commercial Heating Ventilation and Air Conditioning (HVAC) service to customers in Eastern Ohio ever since. The company has been able to maintain a solid posture in the industry even during rough economic times.

Selection Rationale

The rationale for selecting Pace Heating as the subject for this project was to select an organization that could benefit from a risk assessment and written risk management plan. The organization should lack any previous analysis of this nature; access to company information and personnel should be readily available to conduct research.

Pace Heating met these criteria because of the author's close ties to the organization that provides IT services to the organization. As the engineer that supported Pace Heating for two years, the author became very familiar with the organization, the organization’s infrastructure, and the organization’s security posture.

Organization Purpose and Characteristics

The purpose of Pace Heating and Air Conditioning, as stated earlier, is to provide HVAC service to customers throughout Eastern Ohio. The organization is a corporation and as such expects to increase shareholder value by providing services in a more efficient manner than the competition. To gain an edge over the competition, Pace Heating implemented a service management package from Shafer’s Service Systems. This package simplifies the dispatch system and integrates with inventory control and accounting processes.

Necessary personnel to conduct the company’s operations comprises the following:

  • the company president
  • an office manager
  • an accountant
  • three sales engineers
  • a service manager
  • a dispatcher
  • three customer service representatives
  • an inventory manager

Pace Heating maintains a fleet of service vehicles and the inventory necessary to complete most HVAC service tasks. The company employs an assortment of HVAC technicians to fill service requests as needed.

Overview of Security Posture

Pace Heating operates in an environment of mutual trust. Management trusts employees to perform their duties and not cause harm to the organization. Employees trust management to provide a safe and harmonious work environment. This environment has proven productive for the organization and enjoyable for the employees; the organization has enjoyed a historically non-existent turnover rate. However, this environment has led to a security posture that is quite lax in the areas of access control and safeguarding information.

Internet access is provided to employees for e-mail functionality and web surfing tasks but no written acceptable use policy has been implemented. Employees are fairly free to use the Internet as they see fit. A Netgear router is in place between the Local Area Network (LAN) and the Internet but most safeguards are left to the Internet Service Provider. Remote access functionality is only available to The Lakota Group and Shafer’s Service Systems for system support but no formal agreements limiting the scope of access for these companies are in place.

All applications reside on a single file server running Windows 2000 Server and the server is positioned in the copy room along with the router and switches. The copy room is not locked and access is not monitored. Likewise, the 11 office workstations automatically logon to the file server on power up and are left logged in throughout the day.

The one strong point of the security posture is the Backup Disaster Recovery (BDR) solution. A Network Addressable Storage (NAS) platform from Zenith Infotech provides local backup service for the file server and the BDR solution provides the following added data protection services:

  • Block Level Incremental Backups
  • Instant Virtualization of Failed Servers
  • Bare Metal Recovery to Dissimilar Hardware
  • Off-site Data Replication to Two Collocation Facilities
    (Zenith Infotech, Ltd., 2009)

Site Locations and Physical Security

The location of devices and resources within a facility has a great deal to do with the physical security of those devices and resources. At Pace Heating, most of the office workers work in open cubes easily accessible to all who enter the building. There is, however, a receptionist at the front desk to greet visitors who enter the building and the receptionist can also monitor the movements of those visitors. The file server, NAS, and network infrastructure devices are located in a copy room in the center of the building. There is presently no way to monitor who gains access to those devices because individuals often move outside the view of the receptionist.

Likewise, the warehouse area and garage are under the watch of both the Service Manager and the Inventory Manager. No vehicles, supplies, or physical inventory leave the building without the express written authorization of the Service Manager. The greatest risk to physical inventory is while the inventory is located in one of the company’s vehicles away from the facility.

Components of Physical Security

“The main threats that security components combat are theft, interruptions to services, physical damage, compromised system and environmental integrity, and unauthorized access” (Harris, 2008, p. 428). Pace Heating has no need for a full fledged data center; all the company’s information assets and applications reside on a single file server. Fire alarms and smoke detectors are in place in appropriate locations and fire extinguishers are readily available. The server should be mounted in a locking equipment rack. The copy room should also be locked and those employees who require access should be issued keys.

Another component to physical security that Pace Heating would benefit from is a well placed video surveillance system. Cameras should be mounted at the main building entrance, the entrance to the warehouse, and the copy room. The recorder could also be mounted in the equipment rack and monitors should be placed in the Office Manager’s office.

Technical Controls and Access to Sensitive Information

Technical controls are non-existent at Pace Heating. Work stations boot up into the administrative account without any prompt for a password. Management permits external devices to connect to computers without restriction. USB drives, digital cameras, and CD burners are often used by employees throughout the course of a day.

Power-on passwords should be implemented to prevent unauthorized users from accessing the systems. BIOS passwords should also be implemented to prevent all but administrative users from making changes to the BIOS settings. Finally, the use of external devices should be disabled in the computer’s BIOS and the operating system concurrently and the administrator could change the settings to temporarily enable external devices when necessary. These physical controls should be made to all computers at the facility. Possible exceptions to the rule would be the computers used by the company President and Treasurer.

Read More of the Case Study


Harris, S. (2008). All in One CISSP Exam Guide (4th Ed.). New York, NY: McGraw-Hill.

Shafer’s Service Systems (2009). Integrated solutions for managing your service/contracting business. Available from

Zenith Infotech, Ltd. (2009). Business continuity for the SMB. Available from


    0 of 8192 characters used
    Post Comment

    No comments yet.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)