IS SECURITY FOUNDATIONS WORK The submission word limit is 2000 words. You must comply with the word count guidelines. You may submit LESS than 2000 words but not more. You are required to use only Harvard Referencing System in your submission. Assessment Brief Section A describes what you have to do as an assignment that satisfies the assessment requirements of the module. You have to provide answers to a request for information posed by senior management of a fictional company described in the case study. Their request consists of a number of questions and your response will go into an advisory report. You must provide answers to all the parts specified in Section A The case study can be found in Section B Section C contains an overall marking guide. Section A: Assignment The consultancy firm that you work for as an Information Security expert continues to work closely with the Verdilan group of companies. The consultancy firm has previously advised Verdilan about raising awareness of IS security, documenting risks and has assisted in the management of a security incident. The group has received significant financial backing from investors with explicit instructions from the board to enhance the group’s information security defences. You will be expected to address Verdilan’s request for information by providing advice on information security topics, which ultimately will help inform the group’s investment strategy. Your rationale and discussions will both be understandable to non-technical management and reassuring to technically minded employees. By clear, succinct explanations you need to convince all readers of your document that you, as the IS security expert, have appropriate knowledge and skills. This includes you being able to cite examples of suitable publications as evidence to support your advice and recommendations. The responses you provide must be relevant to the case study. It must not overly rely on generalities. Examples must be related to the Verdilan Group in the case study and not based on other situations (although some comparison is acceptable). If you make an assumption about the case study, then ensure that you explicitly state what the assumption is. You need to use a minimum of 3–5 references in the report to support analysis, explanations or proposed solutions. The references may be published standards or research articles. The title of the assignment is: Verdilan Group Information Security Advisory Report The report must be structured in four sections using the following headings: 1. Chief Financial Officer Requests 2. Technology Transformation 3. Database Security 4. References What you write in each report section must match to the requirements for it. Each report section states the number of marks it attracts. 1 Chief Financial Officer Requests The Chief Finance Officer (CFO) is not fully convinced about the need for investment in information security and would prefer to focus on the marketing strategy. The CFO is overwhelmed by the number of vendor reports about threats and was recently sent a statistical report about different types of threats. 1.1 In the context of Verdilan’s business role, describe the impact of an information security breach on the organisation and how a further attack would damage the business to assist in re-focussing the CFO’s priorities. [10 marks] 1.2 The CFO is interested in deceptive threats but doesn’t fully appreciate the concept and what it means to her business. You are required to cover three areas to provide advisory assistance: [15 marks] Define the cyber threat category of deception Describe the likely consequence of the threat category Describe deceptive attack methods and discuss the different ways they could be achieved in Verdilan’s environment considering the company’s assets. 1.3 Verdilan want to move away from solely relying on consultancy services for IT security and to permanently hire an IT security officer. Outline the key IT security responsibilities required of the role in an enterprise. [5 marks] 2 Technology Transformation Previous risk assessments by the consultancy firm indicated that Verdilan’s poor management and operation of on-premise IT assets is one of the greatest risks faced by the company. The case study demonstrates that Verdilan already consume some cloud services. The company are considering how to best address this risk. 2.1 Outline the advantages and disadvantages of a technology transformation program that would see the firm’s IT services being moved entirely to the cloud. [10 marks] 2.2. Identify and describe the key threats to a cloud deployment, considering both existing cloud services and potential IT services that would migrate from the company’s office. [10 marks] 2.3 Provide advice on good practice cloud security measures that the transformation program would need to consider. [10 marks] 3 Database Security The company are concerned about their current lack of understanding of database security. 3.1 Explain how encryption can be used to protect a database architecture. [5 marks] 3.2 Describe ways that a database can be attacked, the consequences for data and propose countermeasures to secure the asset. [15 marks] 3.3 Outline a security management process that could be followed to improve the security posture of the organisation’s databases. [10 marks] 4 References [10 marks] Marks will be awarded for the entire task of formatting, referencing, and use of language including use of the Harvard Referencing Style. Section B: Case Study The Business and its Organisation This case study describes a 2-year old, medium-sized business in garden work and landscaping, called Verdilan, which is organised as a small group of companies. The group has 320 permanent staff, with about 40% employed full-time; at the busiest part of the year another 200 contract staff may be hired. The business was formed from two existing companies – Felltree and VLI (Verdant Landscape Innovations) – with different histories and organisational culture. These two companies generate revenue by selling services to customers. VLI also sells some products. These original companies (Felltree and VLI) became subsidiaries of a holding company, and a third – Verdant Services – was added to, over time, to provide shared services, like IT. The three subsidiaries operate, in effect, as different divisions of Verdilan and plan to maintain their separate identities and brands until the whole business becomes more mature. The Felltree subsidiary is a service business that clears land of unwanted or problem trees, shrubs, hedges, and other planting. Felltree started 4 years before and originally worked only in domestic settings, but since becoming part of Verdilan it has been successfully expanding into large-scale projects and ongoing programmes of work, clearing land for construction companies, maintain campuses for universities and hospitals, and working for local councils to maintain parks and other public spaces. Whereas for domestic projects, Felltree is the main contractor for a client, for commercial projects or maintenance programmes it is often a sub-contractor. When a client requires new planting after it has cleared a site, Felltree often needs to sub-contract to a horticulture or landscaping company to re-plant the site, and often uses its sister company VLI. For over twenty years the VLI subsidiary developed a thriving business in large-scale landscaping using ethically managed plants and organic fertilisers and treatments, several of which it developed. itself. Because of the success of the organic products, for the past two years VLI has been increasingly focusing its R&D on organic products for other landscapers to use as well as itself. Now, the services VLI provides to its customers are often consultancy services, rather than all being about sourcing plants and planting them. It frequently acts as a specialist subcontractor to Felltree, when Felltree’s contract with its customer involves new planting. Verdilan Services is an internal division of the group that does not interact directly with customers, except for drawing up service contracts and issuing invoices to customers of the other subsidiaries. It was formed in the past year to (a) provide common administrative and IT services to Felltree and VLI, and (b) reduce costs in the group overall by developing common policies and processes and employing expertise that both subsidiaries can share. There is one management team for the whole group. It consists of five directors: the three founders (two who created Felltree, and one who created VLI), a new MD (managing director) and a new CFO (chief finance officer). There is no director who is a specialist in IT, and none of the directors have any real expertise in IT, so the CFO takes on the IT leadership role for the group. Use of IT in Different Divisions The CFO is ultimately responsible for the IT services provided to the group. As with the creation of service contracts and invoicing, her aim is to streamline the IT used internally and to safeguard the business’s assets. There is considerable IT diversity in the business, and she believes that this will need to be reduced to some extent. Two IT helpdesk technicians support the entire IT needs of the group. They report directly into the CFO. VLI, the older of the divisions, has used internal computers since it was founded, but no particular principles or policies were used in the purchase and use of computers, which were relatively expensive when VLI started. Hence, purchases, and subsequent integration was done in a haphazard way. Most computers are office-based desktop computers, mostly Windows computers running a variety of versions of the operating system dating as far back as Windows XP, but some are Macs, and several are scientific workstations, generic PCs, typically running Linux. VLI’s email service was originally provided via an internal server, and although all members of staff in the group now use an external Exchange server via whatever client mail application they prefer (on their desktop computers, laptops, tablets and phones) the old mail server still works and some people use it almost as a private server. Many of the senior staff in VLI would not describe themselves a ‘tech savvy’. They do not think about IS security. A quarter of the staff members are scientists that use Unix and Linux systems and are used to managing their systems without the interference of others. They will write scripts in a variety of scripting languages and use C, C++ and Java for programming. When Felltree started, it mostly used web services to run its business, and the processes and systems for the business are still mostly web-based. Since most of the Felltree team members are often out of the office, working on sites or visiting clients, they are more comfortable with tablet computers, smartphones and laptops, almost always connected by wi-fi when it is available or by 3G or 4G mobile phone services. The Felltree team uses WhatsApp, Skype IM and text messages as much as email, and each member of staff to use their own favourite apps. The entire team uses Trello for project management. The only people in Felltree to use desktop computers are the graphic designers and website developers. They use iMacs. The website developers code with HTML, CSS, PHP, JavaScript and JQuery. Although all the members of Felltree have Verdilan email accounts on Exchange, the name “Felltree” is still seen as a strong brand and most of the original team, including directors, use a “Felltree” email id, with email services provided by the hosting service that runs the company’s website. Felltree staff are generally younger than their colleagues and are very ‘tech savvy’. They are used to finding out what works for them and then as a group will discuss (probably using external social network technology) and agree to use a tool like Trello, but they are less inclined to follow rules for the sake of following rules. Since the creation of Verdilan services, there has been a more systematic approach to IT across the group and common information systems are beginning to take over in all the subsidiaries, but the CFO often does not have the time or staff to consult others on new policies and supervise the implementation of the planned changes. All staff in Verdilan Services use Windows 10 laptops and smartphones of their choice that integrate using Microsoft Office 365. One change that Verdilan Services would like to see, is the entire group standardising on the use of cloud email and collaboration tools like Office 365, Dropbox, Box, or Google Docs, but it is concerned about security and has not decided which to use. The CFO would also like to procure a VOIP service, but this is not a high priority as most staff and customers use mobile phones. The company does not supply or corporately manage mobile phones, but does supply, but does not manage iPads with cellular connectivity, because of their use on customer sites, especially by Felltree. Overall Use of IT/IS IT is an integral part of the business, but is used in different ways in different divisions and not all users would recognise the information systems they use. Information systems are used for at least the following across the three divisions/subsidiaries (nobody is quite sure what is used where): 1. producing, disseminating and managing marketing content (e.g. via the Web and social media); 2. customer relationship management (CRM) database, both for existing clients and for prospective clients; 3. email, instant messaging of various types, VOIP and video-conferencing, e.g. via Skype; 4. financial management, e.g. for modelling and forecasting, budgeting, procurement, invoicing and payments, paying taxes (including PAYE), employee national insurance, and insurances; (Databases are utilised for this). 5. governance and administration, including management support, contracting; 6. human resource management, specifically for staff, sub-contractors, and casual workers; 7. sales management, including recording sales opportunities, prioritising, pre-sales support, and after-sales care, exhibitions and local sponsored events; 8. operations, e.g. assessing proposed projects, scheduling, planning, resource allocation, hiring and maintenance of mechanical and electric resources. The Suppliers There are several IT suppliers that the company management has chosen to provide services within the group, as in the following list. Other suppliers of ad-hoc purchases by the different divisions are not included. GreenCRM – suppliers of the CRM system used by the group; GreenCRM supplies tens of thousands of companies across the world; KeepConnected – a provider to all the group of Microsoft email and calendar services via an external Exchange server; Microsoft – provides Office 365; PayUS – an online payroll and expenses service used by the group, except VLI, which uses is still partially using its own systems developed 10 years ago; PayUS is a UK-only service with hundreds of SME clients; Network Facilities All processing devices – computers, tablets, phones, the server and printers – are connected to a LAN and then to the Internet, by either Ethernet cables (the desktop computers) or Wi-Fi (all portable devices). The network operates throughout and between two adjacent buildings, one being a large warehouse. The premises are located in a rural business park with little 4G phone coverage. A number of switches are used in the cabled network. IT Problems and Concerns A number of concerns have been expressed by Verdilan’s management, its advisors, and by staff. These problems, or potential problems have been articulated in response to problems that have occurred over the past 4–5 years and have affected either part of the business or individuals, often before the current company structure existed, and mostly to VLI. The problems include: a concern about theft of a product design in VLI when a competitor product appeared that resembled an early design created by VLI; the IT administrators are responsible for approving requests for permission changes on file servers using discretionary access control (DAC) the loss of a number of laptops and iPads containing customer information and commercial data; the old VLI server that is still used as a shared file store and to run some printer services; crucially it contains information on much of the companies an attempt by an outsider to impersonate the MD by email and approve an emergency payment of a lost invoice; a DOS attack experienced by the suppliers of Verdilan’s email and calendar services that affected Verdilan for two days one summer, their peak business period. Uncertainties and Assumptions The relatively new Verdilan Services division is trying to document the group’s IT and IS assets, but progress is slow. Staff often bring their own devices to work and use them for some special reason, e.g. a project manager will bring a home laptop to work after spending much time working at home on a difficult scheduling problem. In VLI there are an unknown number of Linux-capable computers discarded that are sometimes used to create a temporary grid facility to run computationally demanding software. In dealing with the Verdilan Group at this stage of its development, many assumptions will need to be made. Disclaimer: the business described is fictitious and no companies with the names Verdilan or Felltree are known to exist. Furthermore, the names GreenCRM, KeepConnected and PayUS are made up for this assessment. Any similarity with real companies or their businesses is wholly accidental. Section C: Assessment Marking Guide (Student Version) The assignment is marked out of 100. The following table shows the mark allocation and the approach required. Appendix A – General Grading Criteria