Case Study in IT Security Management- Part 1: Overview
Published: November 28, 2011
Updated: November 30, 2011
This hub is an adaptation from a case study in security management originally submitted as a term paper to fulfill the requirements for an advanced course in Information Security Management. The author presented the steps and considerations necessary to develop a security management plan for a fictitious company named Pace Heating and Air Conditioning, Inc. The plan was developed from the viewpoint of a consultant working for the Lakota Group, another fictitious company. This sample term paper demonstrates the steps necessary to develop a security management plan; no actual plan is presented in the case study, which the author presents to aid other learners in the quest to write such a term paper.
The original paper was written in APA format, however, much of that formatting was lost when converted to a module format. The paper is divided into four components because of the length of the final product. These components are:
- Case Study in IT Security Management - Part 1: Overview
- Case Study in IT Security Management - Part 2: Risk Analysis:
- Case Study in IT Security Management - Part 3: Risk Management Plan
- Case Study in IT Security Management - Part 4: Legal and Ethical Issues
- Case Study in IT Security Management - Part 5: Implementation, Maintenance, and Conclusion
Pace Heating and Air Conditioning, Inc. was established in 1939 by Richard James Pace and has been providing residential and commercial Heating Ventilation and Air Conditioning (HVAC) service to customers in Eastern Ohio ever since. The company has been able to maintain a solid posture in the industry even during rough economic times.
The rationale for selecting Pace Heating as the subject for this project was to select an organization that could benefit from a risk assessment and written risk management plan. The organization should lack any previous analysis of this nature; access to company information and personnel should be readily available to conduct research.
Pace Heating met these criteria because of the author's close ties to the organization that provides IT services to the organization. As the engineer that supported Pace Heating for two years, the author became very familiar with the organization, the organization’s infrastructure, and the organization’s security posture.
Organization Purpose and Characteristics
The purpose of Pace Heating and Air Conditioning, as stated earlier, is to provide HVAC service to customers throughout Eastern Ohio. The organization is a corporation and as such expects to increase shareholder value by providing services in a more efficient manner than the competition. To gain an edge over the competition, Pace Heating implemented a service management package from Shafer’s Service Systems. This package simplifies the dispatch system and integrates with inventory control and accounting processes.
Necessary personnel to conduct the company’s operations comprises the following:
- the company president
- an office manager
- an accountant
- three sales engineers
- a service manager
- a dispatcher
- three customer service representatives
- an inventory manager
Pace Heating maintains a fleet of service vehicles and the inventory necessary to complete most HVAC service tasks. The company employs an assortment of HVAC technicians to fill service requests as needed.
Overview of Security Posture
Pace Heating operates in an environment of mutual trust. Management trusts employees to perform their duties and not cause harm to the organization. Employees trust management to provide a safe and harmonious work environment. This environment has proven productive for the organization and enjoyable for the employees; the organization has enjoyed a historically non-existent turnover rate. However, this environment has led to a security posture that is quite lax in the areas of access control and safeguarding information.
Internet access is provided to employees for e-mail functionality and web surfing tasks but no written acceptable use policy has been implemented. Employees are fairly free to use the Internet as they see fit. A Netgear router is in place between the Local Area Network (LAN) and the Internet but most safeguards are left to the Internet Service Provider. Remote access functionality is only available to The Lakota Group and Shafer’s Service Systems for system support but no formal agreements limiting the scope of access for these companies are in place.
All applications reside on a single file server running Windows 2000 Server and the server is positioned in the copy room along with the router and switches. The copy room is not locked and access is not monitored. Likewise, the 11 office workstations automatically logon to the file server on power up and are left logged in throughout the day.
The one strong point of the security posture is the Backup Disaster Recovery (BDR) solution. A Network Addressable Storage (NAS) platform from Zenith Infotech provides local backup service for the file server and the BDR solution provides the following added data protection services:
- Block Level Incremental Backups
- Instant Virtualization of Failed Servers
- Bare Metal Recovery to Dissimilar Hardware
- Off-site Data Replication to Two Collocation Facilities
(Zenith Infotech, Ltd., 2009)
Site Locations and Physical Security
The location of devices and resources within a facility has a great deal to do with the physical security of those devices and resources. At Pace Heating, most of the office workers work in open cubes easily accessible to all who enter the building. There is, however, a receptionist at the front desk to greet visitors who enter the building and the receptionist can also monitor the movements of those visitors. The file server, NAS, and network infrastructure devices are located in a copy room in the center of the building. There is presently no way to monitor who gains access to those devices because individuals often move outside the view of the receptionist.
Likewise, the warehouse area and garage are under the watch of both the Service Manager and the Inventory Manager. No vehicles, supplies, or physical inventory leave the building without the express written authorization of the Service Manager. The greatest risk to physical inventory is while the inventory is located in one of the company’s vehicles away from the facility.
Components of Physical Security
“The main threats that security components combat are theft, interruptions to services, physical damage, compromised system and environmental integrity, and unauthorized access” (Harris, 2008, p. 428). Pace Heating has no need for a full fledged data center; all the company’s information assets and applications reside on a single file server. Fire alarms and smoke detectors are in place in appropriate locations and fire extinguishers are readily available. The server should be mounted in a locking equipment rack. The copy room should also be locked and those employees who require access should be issued keys.
Another component to physical security that Pace Heating would benefit from is a well placed video surveillance system. Cameras should be mounted at the main building entrance, the entrance to the warehouse, and the copy room. The recorder could also be mounted in the equipment rack and monitors should be placed in the Office Manager’s office.
Technical Controls and Access to Sensitive Information
Technical controls are non-existent at Pace Heating. Work stations boot up into the administrative account without any prompt for a password. Management permits external devices to connect to computers without restriction. USB drives, digital cameras, and CD burners are often used by employees throughout the course of a day.
Power-on passwords should be implemented to prevent unauthorized users from accessing the systems. BIOS passwords should also be implemented to prevent all but administrative users from making changes to the BIOS settings. Finally, the use of external devices should be disabled in the computer’s BIOS and the operating system concurrently and the administrator could change the settings to temporarily enable external devices when necessary. These physical controls should be made to all computers at the facility. Possible exceptions to the rule would be the computers used by the company President and Treasurer.
Read More of the Case Study
Continue to Part 2: Risk Analysis.
Harris, S. (2008). All in One CISSP Exam Guide (4th Ed.). New York, NY: McGraw-Hill.
Shafer’s Service Systems (2009). Integrated solutions for managing your service/contracting business. Available from http://www.shafers.com
Zenith Infotech, Ltd. (2009). Business continuity for the SMB. Available from http://www.zenithinfotech.com/bdr_sol.asp
More Security Management from the Community
- Sample Risk Management Plan - Part 1: Introduction and Background
The first component of a paper presenting the elements of the risk management plan for a project to introduce Internet sales to a fictitous PC manufacturing company. Included in this installment are the background, introduction and planning elements.
- Risk Management by one2get2no
This beginners guide to risk management looks at the nature of risk and return.
- information Security Risk management