Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary Module 6 Case Study Case Study Introduction The Arlington Community Schools of Hawk County (ACSHC) is planning to conduct a risk assessment. For this case study, you are to put yourself in the position of the team leader responsible for the risk assessment on the Student Management System (SMS) for this school corporation. This school corporation includes an elementary school, a middle school, and a high school. There are 1028 students, 61 teachers, 9 administrators, 2 full time technology staff, and IT consultants all of whom have regular access to the ACSHC information system including SMS. Also, the software developers for SMS Software have remote access to this system to perform software updates. All users have the ability to remotely access their home directory from any Internet connection. Access to the Information System varies depending upon a person’s role at ACSHC. Case Study List of Users/Admins with SMS Information, Part I • IT Support Staff – These users include two full time employees and two outside technology contractors. It is this group’s role to maintain all workstations and servers and provide support and training to the end users. They are responsible for all areas of the Information System such as backups, updates, repair, and replacement. • Corporation and School Administrators – These users are the leaders of ACSHC and the respective schools. They have access to student and teacher folders as well as their own on the network. In the SMS system they have access to discipline, contact information, schedules, attendance records, demographic information, grades and academic history. • Bookstore Secretary – These two users run their schools bookstores. They also are responsible for their respective school’s accounts. In the SMS system they have administrative access. • Support Staff – These users include the main school secretaries. They have access to their own directories on the information system. In the SMS system they have access to almost all administrative aspects and components. Case Study List of Users/Admins with SMS Information, Part II • Guidance Staff – These users make up the corporation guidance department. They have access to their own directories on the information system. In the SMS system they have access to discipline, contact information, schedules, attendance, demographics, grades, academic history, and schedules. • Teachers – These users make up the second largest group of users. They have access to their own directories and that of their students. They have individual login names for network connectivity. In the SMS system they have access to attendance, grades, schedules and contact information. • Instructional Assistants – These users provide education support for teachers and students. Like teachers, they have individual login names for network connectivity but do not have access to the SMS system. • Students – These users make up the largest group of users. They have access to their individual user directory. In the SMS system they have access to their own schedules. All students logon to the workstations using the same user login name, student. Case Study Management Controls • The ACSHC facility has two distinct buildings on one campus. One building houses an elementary, a middle school and a high school; the other building houses the ACSHC corporation office. The ACSHC information system’s main distribution frame (MDF) is connected to five intermediate distribution frames (IDF) via fiber optic cable. There are also multiple wireless access points that are secured via 128 bit encryption. • The current controls for ACSHC SMS Information system are categorized into the following three: management controls, operational controls, and technical controls. • Management Controls – Management Controls of an IT system are concerned with identifying the personnel and human factors that are involved in managing an information system. This includes items such as separation of duties, security and technical training, and assignment of responsibilities. Case Study Operational Controls • • • Operational Controls of an IT system are concerned with the physical controls in place to protect the system. This includes items such as main server room door, backup systems, temperature control systems, dust control systems, quality of electrical power, and physical security such as locked doors and access control. The main server room is located directly behind the Director of Technology’s office requiring passing in front of the Director’s door to gain access to the room. The lock on the server room door requires an ACSHC master key and is kept locked except when the room is in use. The server room contains the router to the Internet, the main switch, and five servers. The SMS server sits on the floor with the email server sitting on top of it. Each server has its own uninterruptible power supply (UPS) which sits on the floor next to the servers. There are also two cabinets that contain the other three servers, two UPSes, patch panels, switches, fiber connectors, and the router to the Internet powered by two circuits. This room houses two other cabinets that contain the intercom system and surveillance equipment. High temperatures have been avoided in this room with the installation of its own air conditioning unit. There is an internal backup drive in the SMS server which is used to perform a full server back-up on the SMS system every Wednesday night. The backup tapes are changed by the Director of Technology and stored in the school vault or in the Directory of Technology’s purse. Other backups are performed on the system before updates are installed. Case Study Operational Controls • • • Operational Controls of an IT system are concerned with the physical controls in place to protect the system. This includes items such as main server room door, backup systems, temperature control systems, dust control systems, quality of electrical power, and physical security such as locked doors and access control. The main server room is located directly behind the Director of Technology’s office requiring passing in front of the Director’s door to gain access to the room. The lock on the server room door requires an ACSHC master key and is kept locked except when the room is in use. The server room contains the router to the Internet, the main switch, and five servers. The SMS server sits on the floor with the email server sitting on top of it. Each server has its own uninterruptible power supply (UPS) which sits on the floor next to the servers. There are also two cabinets that contain the other three servers, two UPSes, patch panels, switches, fiber connectors, and the router to the Internet powered by two circuits. This room houses two other cabinets that contain the intercom system and surveillance equipment. High temperatures have been avoided in this room with the installation of its own air conditioning unit. There is an internal backup drive in the SMS server which is used to perform a full server back-up on the SMS system every Wednesday night. The backup tapes are changed by the Director of Technology and stored in the school vault or in the Directory of Technology’s purse. Other backups are performed on the system before updates are installed. Case Study Technical Controls • Technical controls of an IT system are concerned with digital security to protect an information system or allow the ability to trace an intrusion. • Examples of technical controls include: – – – – – – Communication Firewall Intrusion Detection System Encryption System Audits Object reuse. • Examples of technical controls in the ACSHC system include: – Vexira anti-virus software – Deep Freeze and Fool Proof workstation security software – Filters to prevent students from downloading files from the Internet Case Study Questions 1. According to the material of Module 4 of Course 1 or standards in document 800-30 (NIST 800-30), please identify the main work plan steps of risk assessment in this case. 2. If you conduct the threat assessment-one part of the risk assessment of the SMS information system for ACSHC, how many sub-categories will you think of dividing your investigation into? Please briefly explain how each plays a role in this specific case. Case Study Question 1, Reference Solution A 1. According the course material, the main work plan steps are: a. b. c. d. e. Planning: It includes risk assessment scope determination and security baseline in which we should identify the current system characteristics. Preparation: This is mainly to identify the assets related with the SMS information system at ACSHC. This can further break down to asset identification, asset classification and asset prioritization based on their weighted important to confidentiality, integrity and availability. Threat assessment: This is the study covering threats, threat sources, and threat impacts. Risk assessment: This includes evaluation of current risk controls, vulnerability identification, likelihood determination, and all the information generated so far will lead to the complete risk determination about the SMS information system for ACSHC. Finally, we can obtain the complete control recommendations. Case Study Question 1, Reference Solution B 1. If we follow the NIST 800-30, the main risk assessment work plan steps are: Step 1 – System Characterization Step 2 – Threat Identification Step 3 – Vulnerability Identification Step 4 – Control Analysis Step 5 – Likelihood Determination Step 6 – Impact Analysis Step 7 – Risk Determination Step 8 – Control Recommendations Step 9 – Results and Documentation Case Study Question 2, Reference Solution 2. Mainly, the threats to the SMS information system of ACSHC can be categorized into three areas: human threat (internal/external), natural/physical threats, and technical threats based on the threat sources.