DOCX

Control Identification Form Revision_10docx - Wikispaces

By Jerry Collins,2014-08-09 11:47
8 views 0
Control Identification Form Revision_10docx - Wikispaces

Katherine Jackowski

Elizabeth Kearney-Lang

Daureen Lingley-Chor

Risks, Threats and Exposures

     Threats to an organization’s Information System’s security can come from both internal and

    external sources. They include viruses, malware, Trojan horses, among others and can be accidental or intentional.

     According to a the 1991 Annual Report submitted by the Computer System Security and Privacy Advisory Board the following areas were found to contribute to the economic loss of organizations: “65% errors and omissions; 13% dishonest employees; 6% disgruntled employees; 8% loss of supporting infrastructure, including power, communications, water, sewer, transportation, outsiders, including viruses, espionage, dissidents, and malcontents of various

    1kinds, and former employees who have been away for more than six weeks. Between the years

    1999 2003, attacks on computer servers increased by over 530% to 137,000 incidents in the

    23United States. FinCEN reports in their Suspicious Activity Report that computer intrusions

    have increased more than 500% from 2003 to 2004.

Key Success Factors

    Senior management commitment to Information security

    Management’s understanding of Information security issues

    Information Security centrally-based

    Integration between security objectives and business objectives

    Proactive security plan which includes awareness training of staff

    Automated risk management process which includes definition of risk limits and risk tolerance Performance measurements

    Up-to-date Protective Techniques

    Enforcement of Security Policies

    Avoid over-control that may reduce the efficiency of the system

    Applications are secured before implementation

    Service Level Agreements (SLAs) are utilized with suppliers to promote awareness and co-operation relative to security

    IT Governance fosters ethical behavior

Client

     Our client is a small manufacturing business, Image Polymers Company LLC, established in 1991. They are a wholly owned subsidiary of Mitsui Chemicals America, Inc. Image Polymers

     1 An Introduction to Computer Security The NIST Handbook SP 800-12 2 The World Technology Risk Checklist 7.3 3 FinCen - Financial Crimes Enforcement Network a U.S. government agency established by the U. S. Department

    of Treasury in 1990 to provide multi-source financial intelligence and analysis.

    Company outsources their IT functions to Covisia Solutions, Inc. They currently use Windows XP Professional operating system and Sage Software, a SQL server-based enterprise management software system, MAS500 Version 7.30.40. They also use Sage Fixed Assets System software, and Microsoft Office 2007(Excel, Word, Outlook, and PowerPoint). They have 5 servers in total; a virtualized server with three distinct server areas, one contains a domain controller section (for confirming usernames and passwords), the exchange section (for e-mails) and the file storage and print section, the second is the citrix server, and the third is the MAS500 server which houses the MAS500 database. They have a back-up server for the Domain controller and another Back-up Business Disaster Recovery (BDR) server.

    Control Identification Form

Control Objective:

    To ensure preventative, detective, and corrective measures are in place and working as intended to protect the Information System from intrusion.

    To ensure proper controls are in place to safeguard assets and prevent, detect and mitigate fraudulent activity.

     Adverse Impact Control Control Type of Control Benefit Of Control Not

    Category Control In Place/Effect IPDS System (Intrusion Mechanism General To prevent the Intrusion i.e. malware or spyware loss of Prevention and Primary consequences of confidentiality and integrity.

    Detection System) Preventative undetected intrusions. Compromised Information System.

    Detective Disclosure of proprietary information. Create unique Mechanism General Limited access to Unauthorized access and disable the IPDS

    passwords for IPDS Secondary authorized users only in system.

    users and administrator Preventative order to safeguard assets.

    Restrict network access Mechanism General Preservation of the IPDS Useless IPDS System. to IPDS components Secondary components.

    Preventative

    Limit direct access to Mechanism General Preservation of the IPDS Useless IPDS System. IPDS components Secondary components.

     Preventative

    Update Intrusion Mechanism General Most up-to-date intrusion Vulnerable to new intrusion techniques. Detection System Primary detection available to fight

    (IPDS) when new Preventative newly recognized

    threat is detected and intrusions.

    quarterly

     Adverse Impact

    Control Control Type of Control Benefit Of Control Not

    Category Control In Place/Effect

    Protect IPDS Mechanism General Protection from Manipulation of communication log.

    management Secondary unauthorized changes

    communication through Preventative

    physical or logical

    separation or

    encryption

    Log System to record Mechanism Application Keep a log of intrusions to Altered or missing log file; no history log-ins and intrusions Primary determine patterns this available.

    Detective should aid in detection of

    malicious code

    Maintain Log System Policy General To keep a record for future Altered or missing log file; no history files in secure location Secondary reference available.

    Preventative

    Perform vulnerability Mechanism General To confirm the system is Do not know if the current system is assessments/tests Primary functioning as it should functioning as it should.

    quarterly Detective

    Conduct penetration Mechanism General To confirm the system is Do not know if the current system is tests bi-annually Primary functioning as it should functioning as it should.

    Detective

    Network firewall Mechanism General To complement the IPDS Unauthorized access to Information

    Primary System; filter network Systems.

    Preventative traffic

    Antivirus Software Mechanism General To complement the IPDS Infected with malware i.e. virus, worms,

    Primary System; detect many Trojan horse, malicious mobile code,

    Preventative threats the IPDS cannot blended threats, keystroke logger,

    backdoors.

    Spyware Mechanism General To complement the IPDS Infection with malware and non-malware

    Primary System. forms of spyware.

    Preventative

     Adverse Impact

    Control Control Type of Control Benefit Of Control Not

    Category Control In Place/Effect

    Training Policy General Personnel have the skills Unqualified personnel could lead to

    Secondary required to deal with the security compromise.

    Preventative security issues

    Response Procedure Procedure General Provide uniform response Incorrect measure taken when threat is

    Primary if a threat is detected detected.

    Preventative

    Back-up Procedure Procedure General Current back-up if needed. Unnecessary extended downtime.

    Secondary

    Control Identification Form

Control Objective:

To control access to the Information Systems to prevent unauthorized use and to restrict authorized use.

    To ensure proper controls are in place to ensure data and system availability in order for the Information Systems to fully support the organization’s objectives.

     Adverse Impact

    Control Control Type of Control Benefit Of Control Not

    Category Control In Place/Effect

    Security Policy Organizational General To communicate the Lack of awareness of Security Policy.

    Secondary Policies authorized by

    Preventative Management.

    Unique user ID and Policy General Controls access to the Unauthorized access to information which password for each Secondary system and fosters system could affect the security of information.

    individual network user Preventative security.

    (long in length - mix of

    letters, numbers, &

    symbols)

    Automated Policy General Frequent password changes Possible password theft and unauthorized enforcement to Secondary limit the likelihood of access to the system.

    changing passwords Preventative unauthorized access.

    Policy & Procedures Policy General Controls, limits and System could be compromised due to no regarding Third Party Secondary restricts outside access to controls as to how the system could be Access Preventative the system ensuring system accessed by outside parties (example:

     integrity. guest password would ensure employees

     do not share their passwords with guest

     users)

     Adverse Impact

    Control Control Type of Control Benefit Of Control Not

    Category Control In Place/Effect

    Policy & Procedure to Policy General Ensures only active Disgruntled employees may access the deactivate access prior Secondary employees have access to system and compromise the data and to employee Preventative the system, limiting the security of the system or obtain termination possibility of retaliation or proprietary information.

    sabotage of system.

    Written Policy re: Legal General Ensures employee System could be vulnerable to

    proper use of Secondary knowledge of and unauthorized access due to password Information System Preventative responsibility to properly sharing or weak password selection

    with required Signature safeguard the system.

    of employee

    Implement and Mechanism General Prevent unauthorized Unauthorized access gained

    annually evaluate Primary access

    physical security (i.e. Preventative

    locks, alarms systems, Detective

    etc.)

    Properly segregate Organizational General Limit access based on job Too many people with unlimited access, duties regarding the Secondary descriptions and which can lead to unauthorized access and Information System to Preventative appropriate access affect the reliability of the data.

    limit access

    Inactive sessions shut-Mechanism General Prevent unauthorized Gain unauthorized access.

    down after a defined Secondary access when a system is

    period of inactivity Preventative left idle for a period of

    time

    Control Evidence Form

     Evidence that Control Evidence that Control

    Control Would be in Place Would be in Effect IPDS System (Intrusion Prevention Third arty confirmation. Documentation System availability. No disruption or minimal and Detection System) of procedure for IPDS system, review disruption of service due to detected intrusions.

    audit security log. Audit security log, documentation of system review

    and response.

    Create unique passwords for IPDS Obtain list of users and administrators.

    users and administrator Interview management, staff and IT staff.

    Restrict network access to IPDS Obtain list of users and administrators.

    components Interview management, staff and IT staff.

    Limit direct access to IPDS View physical location for lock or method

    components of restriction accessing components i.e.

     sensors, agents,

    Update Intrusion Detection System Updates Log File. Confirmation from

    (IPDS) when new threat is detected vendor re: number of updates provided in and according to vendor the last year.

    recommendations

    Protect IPDS management Third party confirmation.

    communication through physical or

    logical separation or encryption

    Log System to record log-ins and View log file.

    intrusions

    Maintain Log System files in secure View physical location of Log System.

    location

    Perform vulnerability Third Party Confirmation. Observe

    assessments/tests quarterly vulnerability test.

    Conduct penetration tests bi-annually Third Party confirmation. Observe

    penetration test.

     Evidence that Control Evidence that Control

    Control Would be in Place Would be in Effect Network firewall

    Antivirus Software View Software License. View program in

    program files on equipment i.e. laptop,

    server.

    Spyware View Software License. View program in

    program files on equipment i.e. laptop,

    server.

    Training Physical written documentation.

     Sign-in list of employees attending

    training. Documents used in training

    classes.

    Response Procedure Physical written documentation of

    procedure.

    Back-up Procedure Physical written documentation of

    procedure.

Report this document

For any questions or suggestions please email
cust-service@docsford.com