Unit Outline
Information Security Risk Assessment
Module 1: Introduction to Risk
Module 2: Definitions and Nomenclature
Module 3: Security Risk Assessment
Module 4-5: Methodology and Objectives
 Module 6: Case Study
Module 7: Summary
Module 6
Case Study
Case Study
Introduction
The Arlington Community Schools of Hawk County (ACSHC) is
planning to conduct a risk assessment. For this case study, you are to
put yourself in the position of the team leader responsible for the
risk assessment on the Student Management System (SMS) for this
school corporation.
This school corporation includes an elementary school, a middle
school, and a high school. There are 1028 students, 61 teachers, 9
administrators, 2 full time technology staff, and IT consultants all of
whom have regular access to the ACSHC information system
including SMS. Also, the software developers for SMS Software
have remote access to this system to perform software updates. All
users have the ability to remotely access their home directory from
any Internet connection. Access to the Information System varies
depending upon a person’s role at ACSHC.
Case Study
List of Users/Admins with SMS Information, Part I
• IT Support Staff – These users include two full time employees and two
outside technology contractors. It is this group’s role to maintain all
workstations and servers and provide support and training to the end users.
They are responsible for all areas of the Information System such as backups,
updates, repair, and replacement.
• Corporation and School Administrators – These users are the leaders of
ACSHC and the respective schools. They have access to student and teacher
folders as well as their own on the network. In the SMS system they have access
to discipline, contact information, schedules, attendance records, demographic
information, grades and academic history.
• Bookstore Secretary – These two users run their schools bookstores. They also
are responsible for their respective school’s accounts. In the SMS system they
have administrative access.
• Support Staff – These users include the main school secretaries. They have
access to their own directories on the information system. In the SMS system
they have access to almost all administrative aspects and components.
Case Study
List of Users/Admins with SMS Information, Part II
• Guidance Staff – These users make up the corporation guidance department.
They have access to their own directories on the information system. In the
SMS system they have access to discipline, contact information, schedules,
attendance, demographics, grades, academic history, and schedules.
• Teachers – These users make up the second largest group of users. They
have access to their own directories and that of their students. They have
individual login names for network connectivity. In the SMS system they have
access to attendance, grades, schedules and contact information.
• Instructional Assistants – These users provide education support for
teachers and students. Like teachers, they have individual login names for
network connectivity but do not have access to the SMS system.
• Students – These users make up the largest group of users. They have access
to their individual user directory. In the SMS system they have access to their
own schedules. All students logon to the workstations using the same user
login name, student.
Case Study
Management Controls
• The ACSHC facility has two distinct buildings on one campus. One building
houses an elementary, a middle school and a high school; the other building
houses the ACSHC corporation office. The ACSHC information system’s
main distribution frame (MDF) is connected to five intermediate distribution
frames (IDF) via fiber optic cable. There are also multiple wireless access
points that are secured via 128 bit encryption.
• The current controls for ACSHC SMS Information system are categorized
into the following three: management controls, operational controls, and
technical controls.
• Management Controls
– Management Controls of an IT system are concerned with identifying the
personnel and human factors that are involved in managing an
information system. This includes items such as separation of duties,
security and technical training, and assignment of responsibilities.
Case Study
Operational Controls
•
•
•
Operational Controls of an IT system are concerned with the physical controls in place
to protect the system. This includes items such as main server room door, backup
systems, temperature control systems, dust control systems, quality of electrical power,
and physical security such as locked doors and access control.
The main server room is located directly behind the Director of Technology’s office
requiring passing in front of the Director’s door to gain access to the room. The lock
on the server room door requires an ACSHC master key and is kept locked except
when the room is in use. The server room contains the router to the Internet, the main
switch, and five servers. The SMS server sits on the floor with the email server sitting
on top of it. Each server has its own uninterruptible power supply (UPS) which sits on
the floor next to the servers. There are also two cabinets that contain the other three
servers, two UPSes, patch panels, switches, fiber connectors, and the router to the
Internet powered by two circuits. This room houses two other cabinets that contain the
intercom system and surveillance equipment. High temperatures have been avoided in
this room with the installation of its own air conditioning unit.
There is an internal backup drive in the SMS server which is used to perform a full
server back-up on the SMS system every Wednesday night. The backup tapes are
changed by the Director of Technology and stored in the school vault or in the
Directory of Technology’s purse. Other backups are performed on the system before
updates are installed.
Case Study
Operational Controls
•
•
•
Operational Controls of an IT system are concerned with the physical controls in place
to protect the system. This includes items such as main server room door, backup
systems, temperature control systems, dust control systems, quality of electrical power,
and physical security such as locked doors and access control.
The main server room is located directly behind the Director of Technology’s office
requiring passing in front of the Director’s door to gain access to the room. The lock
on the server room door requires an ACSHC master key and is kept locked except
when the room is in use. The server room contains the router to the Internet, the main
switch, and five servers. The SMS server sits on the floor with the email server sitting
on top of it. Each server has its own uninterruptible power supply (UPS) which sits on
the floor next to the servers. There are also two cabinets that contain the other three
servers, two UPSes, patch panels, switches, fiber connectors, and the router to the
Internet powered by two circuits. This room houses two other cabinets that contain the
intercom system and surveillance equipment. High temperatures have been avoided in
this room with the installation of its own air conditioning unit.
There is an internal backup drive in the SMS server which is used to perform a full
server back-up on the SMS system every Wednesday night. The backup tapes are
changed by the Director of Technology and stored in the school vault or in the
Directory of Technology’s purse. Other backups are performed on the system before
updates are installed.
Case Study
Technical Controls
• Technical controls of an IT system are concerned with digital security to
protect an information system or allow the ability to trace an intrusion.
• Examples of technical controls include:
–
–
–
–
–
–
Communication
Firewall
Intrusion Detection System
Encryption
System Audits
Object reuse.
• Examples of technical controls in the ACSHC system include:
– Vexira anti-virus software
– Deep Freeze and Fool Proof workstation security software
– Filters to prevent students from downloading files from the Internet
Case Study
Questions
1. According to the material of Module 4 of
Course 1 or standards in document 800-30
(NIST 800-30), please identify the main work
plan steps of risk assessment in this case.
2. If you conduct the threat assessment-one part
of the risk assessment of the SMS information
system for ACSHC, how many sub-categories
will you think of dividing your investigation
into? Please briefly explain how each plays a
role in this specific case.
Case Study
Question 1, Reference Solution A
1.
According the course material, the main work plan steps are:
a.
b.
c.
d.
e.
Planning: It includes risk assessment scope determination and security
baseline in which we should identify the current system characteristics.
Preparation: This is mainly to identify the assets related with the SMS
information system at ACSHC. This can further break down to asset
identification, asset classification and asset prioritization based on their
weighted important to confidentiality, integrity and availability.
Threat assessment: This is the study covering threats, threat sources, and
threat impacts.
Risk assessment: This includes evaluation of current risk controls,
vulnerability identification, likelihood determination, and all the
information generated so far will lead to the complete risk
determination about the SMS information system for ACSHC.
Finally, we can obtain the complete control recommendations.
Case Study
Question 1, Reference Solution B
1.
If we follow the NIST 800-30, the main risk
assessment work plan steps are:
Step 1 – System Characterization
Step 2 – Threat Identification
Step 3 – Vulnerability Identification
Step 4 – Control Analysis
Step 5 – Likelihood Determination
Step 6 – Impact Analysis
Step 7 – Risk Determination
Step 8 – Control Recommendations
Step 9 – Results and Documentation
Case Study
Question 2, Reference Solution
2.
Mainly, the threats to the SMS information system of
ACSHC can be categorized into three areas: human
threat (internal/external), natural/physical threats, and
technical threats based on the threat sources.