EXAMPLE 3 SECURITY ASSIGNMENT

EXAMPLE 3 SECURITY ASSIGNMENT - TABLE OF CONTENTS:...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: TABLE OF CONTENTS: INTRODUCTION: .....................................................................................................................................2 EXECUTIVE SUMMARY: .......................................................................................................................2 ISSUE IDENTIFIED: .................................................................................................................................3 ANALYSIS: ................................................................................................................................................4 PLANNING ................................................................................................................................................4 SECURITY PLANNING: .............................................................................................................................4 CONTINGENCIES PLANNING: ..................................................................................................................4 POLICY AND PROGRAMS: ..................................................................................................................5 POLICY: ...................................................................................................................................................5 PROGRAMS: ............................................................................................................................................6 PRACTICE: ................................................................................................................................................6 PROTECTION: ..........................................................................................................................................7 ASSESSING RISK: ....................................................................................................................................7 CONTROLLING RISK: ...............................................................................................................................8 MECHANISM USED: .................................................................................................................................8 PEOPLE & PROJECTS ..........................................................................................................................9 PERSONNEL ............................................................................................................................................9 CONCLUSION: .........................................................................................................................................9 RECOMMENDATIONS: ........................................................................................................................10 BIBLIOGRAPHY .....................................................................................................................................11 WEB------------ ...................................................................................................................................11 BOOK------------ .................................................................................................................................11 Introduction: Information security is more than computer data security. It is the process of protecting the intellectual property of an organization. This intellectual property plays a vital role to the organization’s survival. Whitman,M. & Mattord,H. (2002, p. 03) defined security as “the quality or state of being secure- to be free from danger.” The key secret for any business is their information and it must be protected. Ethically, everyone is involved in, and responsible up to some extend for, the protection of information. A minor break out of important information can sink the entire organization. The information must be protected from all aspects. To make it possible each employees must understand and utilize the security. Practically it is impossible to achieve 100% security. People believe that to secure information system is to install a firewall, improve the authentication method, or clearly define the security policy. Honestly, these can only improve security, but none can provide a complete security, especially in this highly advanced information technology era, where new software and IT Gurus can always find the drawback of the system. For better improvement of security, the information related problems must be understood and managed well. . However, by obtaining general information form T-Mobile Corporation, this report briefly explains the relationship between security planning, security policy and programs and protection of information. Executive summary: This report Mentions a Security Breach incidents which happens in USA. Nicolas Jacobsen, A hacker hacked T-mobile company. And he was Accessing Company’s 16.3 million customer’s Personal Information. In this report, Security planning, Company’s policy and Programs and All types of risk such as Assessing risk, Controlling risk and Mechanisms risk has defined. Report also contains People and project of entire scenario, recovery of disaster and recommendations. 2 Issue identified: • A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, Security Focus has learned. • Nicolas Jacobsen, The hacker could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with Web access to their T-Mobile e-mail accounts. He did not have access to credit card numbers. • T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation. Company spokesman Peter Dobrow said Tuesday that nobody at TMobile was available to comment on the matter.( (Kevin Poulsen, Security Focus Viewed on: 6-06-05, Time: 22:00) 3 Analysis: Planning “If system were built with care and good software engineering practice, we would have a greatly reduced problem with information security.” - Eugene H. Spafford Information is the unique asset for any organization, which must be protected so that the organization will survive. With the help of accurate security planning, organization can achieve desire success.. The information gathered from a company reveals that the security planning is done at three levels: strategic planning, Tactical planning and Operational planning. Generally, strategic planning is done at the large basis such as the planning for entire organization. The tactical and operational planning is done at the small basis such as different department have their own tactical and operational plans. (Whitman,M. & Mattord,H. (2002, p. 68)) Security Planning: To make the information security process more effective, it is important to understand core principles of management. In T-Mobile organization, management applies some characteristics to design information security. However, there are two well-known approaches to management: Traditional management theory uses the core principles of planning, organizing, staffing, directing and controlling. Popular management theory uses the principles of planning, organizing, leading, and controlling. The success of any management depends on how manager solves problems. The T-mobile company utilize uses five steps for resolving many operational problems. • • • • • Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare the Possible Solution Step 5: Select, Implement and Evaluate a Solution Furthermore, they also applies the extended characteristics of information security are known as six Ps. Planning, Policy, Programs, Protection, People and Project Management. Contingencies Planning: Planning for contingencies is the process by which the information technology and information security communities of interest position for organizations to prepare for detect, react to and recover from natural. It consists of three major components • Incident response plan • Disaster recovery plan 4 • Business continuity plan An organization adopts the multiple-plan with interlocking procedure, which are Incident response plan and Disaster recovery plan. Policy and Programs: Policy: Policies are descriptions of the security precautions that are required for different types of information and access. Policies specify what must or must not be done to fulfill the principle and protect information, people, property, and reputation. It should be short, precise and easy to understand. For creating information security policies and procedures, it requires evaluation of information and systems assign responsibilities and require support from all employees. The top level management personnel must support and follow the information security procedure then anyone else in the company, because it shows the importance of the policies and they have rights to access to the most valuable information in the company. According to Pipkin,D., (2000, p. 97) “ It is only through the close alignment of business objectives with sound strategy that a set of policies can be developed to truly enhance the abilities of the organization.” There are different types of policies for T-Mobile organization: 1. Use of information (Whitman 2004, p.112). Policy: Account x information must be used only for the authorized end user. Commentary: This policy states that all nonapproved uses of Account x information are prohibited. Audience: End User, Management 2. Information Handling, Access and Usage (Whitman 2004, p.112). Policy: Information is an important asset and all access to users of, and processing of Account x information must be consistent with policies and standards. Commentary: This policy set the context for a number of other information security policies. Audience: End User, Management 3. Policy: Commentary: Sending Information to third parties Prior to sending information to third parties, not only must the intended recipient be authorized to receive such information, but the procedures and information security measures adopted by the third party, must be seen to continue to assure the confidentially and integrity of the information. 4. Policy: Commentary: Maintaining customer information confidentially Information relating to clients and third party contacts is confidential, and must be protected and safeguarded from unauthorized access and disclosure. 5 Programs: Security Programs are the definitions of how to implement the policies to a specific technology. It will change when the technology to which it related change. It will also identify those technologies that are unable to implement in a policy. Programs are the detailed instructions on how to meet the criteria defined in policies like, organizing for security, assign responsibilities, define information security roles and titles, integrating security and help desk, implementing security education, training and awareness. Security programs clearly explain the duties and responsibilities within the security design in organization. Security program for company includes following programs: Training: Training sessions should be made in order to train employees how to maintain security of the system and there should be training session for the consumer about internet banking and other online services, so they can safely use the system. Antivirus and security: Proper security programs such as Firewall, latest antivirus should be installed in the data server, so the unauthorized person cannot hack the system. Meeting: Such type of program should be organized in regular basis so employee and consumers can participate in this meeting, so every one can aware about new technologies and necessary changes can be made in order to make the system more secure. Practice: Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best security practices. In this case security practice follows good security practice. It is referred by the one web site which is established by federal government. This project, known as the Federal Agency Security Project, was the result of the Federal Chief Information Officer Council’s Federal Best Security Practices. Best security practice describes bellow Which t-Mobile company should follows:- 6 Identification and Authentication - Creating Password - Password cracking Information - Password Management Standard - T-Mobile policy and High level Procedures for Password and Access Forms Hardware and System Software Maintenance - Configuration Management Plan - Interim Policy document on configuration Management - T-Mobile policy and High level Procedures for Hardware and application Software Security Network Security - E- mail spam policy - Network Perimeter Security Policy - Securing POP Mail on Windows Clients - How to deploy Firewalls Configuration of Technical Safeguards - Network Security Management Policy - How to Secure a Domain Name Server (DNS). Incident Response Capability - Computer Incident Response Team Desk Reference - Identification and Authentication of Agency System - Computer Virus Incident Report Form - Generic Policy and High level Procedures for Incident Response - Developing as Agency Incident Response Process Personnel Security - Policy on Limited Personnel Use of Government Offices Equipment - Email Policy - Internet Use Policy - Guidelines for Evaluating Information on Public Web sites - Receipt of Proprietary Information - Investigative Requirements for Contractor Employee Policy and Procedures - Internet Security Policy - Telecommuting and Mobile Computer Security Policy - T-Mobile Large Service Application Information Technology Security Program Policy - Security Handbook and Standard Operation Procedures. (Whitman 2004, p.122) Protection: Assessing risk: Risk identification process starts with the identification of information assets, including people, procedure, data and information, software, hardware and networking elements. The risk assessment is divided in to following steps: 1. Data privacy and confidentiality 7 2. Data integrity 3. Authentication 4. Non-Repudiation Controlling risk: To control the risk applying safeguards that eliminates or reduces the remaining uncontrolled risks for the vulnerabilities. User IDs and Passwords The most common method of restricting data access on the internet is much older than the technology that utilizes it. The consumer should frequently change their password. Data Encryption Restricting ace to sensitive information is the first step toward marinating data privacy in order to financial institutions to be able to deliver account and transaction summaries, they must utilize encryption methods. Secure Socket Layer (SSL) and Secure Hypertext Transfer Protocol (S-HTTP) are two standardized technologies to provide encryption. Certificate Authorities and Digital Certificate: These are raising issues of authentication, non-repudiation, data privacy, and cryptographic key management. Virtual Private Networks: A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of tunneling protocols and security procedures. Using a VPN involves encrypting data before sending it through the public network and decrypting it at the receiving end. Mechanism used: ` In order to provide high standards of Security, Company should be equipped with good hardware and software’s to keep the database secured. And Different types of hardware are used like high quality routers, LAN wires, and web browser. Router should be well configured with firewall on it, so it won’t allow any unknown person to access the precious information from the database server. Software such as anti-virus, firewall should be installed on web server, so data does not get corrupted nor the data gets into the wrong hand. The SSL layer with128 bit encryptions should transfer data with high security, so that no one can trap the data on the way, during transfer of data. (Whitman 2004, p.132) 8 People & projects Personnel Maintaining a secure environment requires that the information security department be carefully structured and staffed with appropriately credentialed personnel. It also requires that the proper procedures be integrated into all human resources activities, including hiring, training, promotion and termination practices. In most cases organization looks for technically qualified information security generalist, with solid understanding of how the organization conducts its business, to serve as the chief information security officer. During the hiring process, applying standard job descriptions can increase the degree of professionalism in the information security field and improve the consistency of roles and responsibilities among organizations. Management should integrate security concepts and practices into the organization’s employment activates. Conclusion: After reviewing all the aspect of case study and Security consequences It is clear that that is result of T-Mobile Security staff’s negligence. Because if hacker is very smart he can hack a system once but cannot access all private information of company’s customers for a year. So, T-Mobile Company must improve security system and try to identify weak points of entire system. Case study also mentions that because of T- mobile company U.S. Secret Service Department also get affected and they lose their very precious data as well. There fore this says that U.S. Secret Service Security Infrastructure also needs some Improvements. So both Organization should arrange some security training programs and Train their employees for more awareness by this type of hackers and threats. Management must understand the importance of setting policies, standards and procedure for the protection of information. Moreover, security can be clearly defined with understanding the value of information assets, the potential cost to the organization and determining the appropriate level of protection. It is also important that the information security design is consistent and reasonable. The legal issues are also involved to protect information and the corporate officer who are responsible for the safekeeping of the information assets. . 9 Recommendations: From the review and analyze of Case study, I recommend that • T-Mobile organization must have a vision, value and mission statement to set the goal. • Practically it is impossible to get 100% security, so organization must analyze and evaluate their planning and policies. • The contingency plans be tested and rehearsed at regular interval • Organization must have strategic planning for a long term goal • Organization must use SDLC methodology for design and implementation of information security • The feasibility check points must be built during the planning process. • Company must run security education and training program • Security policy must include security audit on regular basis • Organization must use security management model to design security framework. • Every organization has risk appetite, but the management should try to reduce it as much as possible. • The security personnel must have System Security Certified Professional 10 Bibliography:- Web-----------Kevin Poulsen, SecurityFocus Viewed on: 6-06-05, Time: 22:00 http://www.securityfocus.com/news/10271 [Accessed 07/6/2005; Time 22:00] http://www.foundstone.com/pdf/riskassessment.pdf [Accessed 07/6/2005; Time 22:05] http://www.cabrillo.edu/~bmcmahon/CIS175-F04/files/chap05.pdf [Accessed 07/6/2005; Time 22:10] http://fasp.nist.gov [Accessed 8/6/2005; Time 20:20] http://www.securityfocus.com/comments/articles/10271/29950/threaded [Accessed 9/6/2005; Time 19:25, Kevin Poulsen ] Book-----------1. Adapted from M.E. Whitman, Enemy at the gates: Threats to information security, Communications of the ACM, August 2003. 2. M.E. Whitman, Management of Information Security, Communications of the ACM, August 2003. 3. Pipkin,D., 2000, Information Security, Prentice-Hall of Australia Pty. Ltd., Sydney, Australia 11 ...
View Full Document

Ask a homework question - tutors are online