Add to collection(s) Add to saved
  1. Business

File

advertisement 
Information Security-Report
Assignment 3
A report on Information Security at BCX.COM
Willis Oduor Agwingi
September, 2014
Information Security-Report
EXECUTIVE SUMMARY
This is a report on the Information Security situation at BCX.COM. The report analyses
information security vulnerabilities and threats and determine appropriate controls that can be
applied to mitigate the potential risks. In addition, it explain why continual improvement is
necessary in maintain reasonably secure information systems and IT infrastructure. The report
also describes the role of disaster recovery and business continuity plans in recovering
information and operational systems when systems and hardware fail. Finally, the report
provides a suggestion on measures that BCX.COM need to implement to ensure security of its
information.
Information Security-Report
TABLE OF CONTENTS
Executive Summary ........................................................................................................................ 2
Table of Contents ...........................................................................Error! Bookmark not defined.
Introduction ................................................................................................................................. 3
Information security vulnerabilities and threats .......................................................................... 4
Appropriate controls and mitigation strategies ............................................................................ 6
Importance of Continuous Improvement on Information Security ............................................. 9
Role of disaster recovery and business continuity plans ........................................................... 10
Conclusion ................................................................................................................................. 12
Recommendations ..................................................................................................................... 12
References ................................................................................................................................. 13
Introduction
In the business world, the ability of a business entity to protect its most valued information
within its system is of key importance to its long term success. A business that cannot ensure
security of the information it has is as good as dead. Information security performs a major role
in protecting the assets of an organization and cannot be overlooked by any organization that is
keen on its well being.
Unfortunately, due to rapid development in the technological world, ensuring that important
information is secure and in safe hands has been a major problem for both large and small
business entities. Traditionally, most corporate assets were physical and tangible assets such as
Information Security-Report
factories, raw materials, land, buildings, and machinery. Today far more assets are computerbased information which can only be valued when in soft copies; this may include general
information about customer demands and their contacts, proprietary formulas, sales and
marketing information, and financial performance data. This kind of information can easily be
altered to mislead the organization on its decisions; or be relayed to competitors if unauthorized
people lay hands on it.
In addition, trading on financial assets which has become so common required adequate and very
efficient information security measures put in place since the values of the assets traded only
exist as bits stored in various computers.
BCX operates in an environment where technology is rapidly developing and has to continually
upgrade its systems. Like any other firm anywhere in the world today, BCX is exposed to
security incidents, such as defacement of websites, theft of physical hardware, server hacking
and data leakage among many other security threats that keep evolving day by day. The company
must therefore devote more resources to the protection of its information assets.
This report wishes to discuss the security threats to BCX information system and the
vulnerability of the organization to these threats. The report also outlines various measures that
can be taken to curb and control any information security problems at BCX. It is also interesting
to note that the threats discussed herein affect so many other firms in different parts of the globe.
Therefore, the measures suggested in this report can also be applied in solving these problems
irrespective of the location of the firm. Even though, a few modifications may be necessary to
suit each specific organization since each firm seems to be unique in its operations.
Information security vulnerabilities and threats
Information Security-Report
The research showed that BCX is vulnerable to the following information security threats. The
first thing that BCX must address is the physical security of their computers. This involves, the
locking computer rooms, and the uninterruptible power supply and power conditioners. The
research has established that the firm does has no mechanism for power back up and is there
vulnerable to data loss in case the power supply is interrupted before the current data in use is
save on the computers used. The security of the for the computer rooms is wanting. The firm
uses the basic key locks which may make it easier for ill-intentioned people to break in and steal
or destroy the computers used to store the information. In addition, the computer rooms are
exposed to environmental hazards such as fires and smoke, and earthquakes.
Server hacking and data leakages are a big threat to this threat to BCX’s information system.
Since the technology is ever developing to become even more sophisticated, the organization is
vulnerable to acts of server hacking and data leakage within their system. New technological
development may enable unauthorized people to access the data within the BCX website and
tamper with it. In case of such an occurrence, important data could be deleted or intentionally
falsified by those who may be against the success of BCX.
The organization is also exposed to malicious software or viruses that may attack its computers
to interfere with the accuracy and integrity of the data stored. Viruses usually cause total loss of
data when they attack computer systems. They spread so first to all the computers within the
system. The spread of viruses is mostly enhanced by sharing of data items. Given that BCX host
a website of all its clients, there is a real threat that its computer systems may be vulnerable to
attacks by malware so frequently. An example of such malware is the Trojan which attacks a
computer system then grows so rapidly, permanently deleting the data as it grows until there is
no data in the system. These malware – worm, virus, bonus software and Trojan - also hinder
access to data and are basically one of the major threats to a computer system where data is
shared more often.
According to the research conducted on BCX, these are the main threats that the organization’s
information system is still vulnerable to even after the efforts it has made towards ensuring that
its information system is secure. However, this report does not disqualify other security threats
Information Security-Report
and vulnerability that were lightly mentioned during the course of the study, or identified to be of
minor importance. Instead, the researcher chose to focus on those threats that were so much
pronounced and which were heavily identified as the key threats to BCX.
Appropriate controls and mitigation strategies
Ensuring effective Information Security in an organization incorporates security products,
technologies, policies and procedures. No single collection of products can solve every
Information Security issue faced by an organization. More than just a set of technique and
reliance on proven industry practices is enough, although both are of great use. This report
compile a number of ways that could be used to mitigate the risks discussed above. The purpose
of this compilation is to provide a blue print to the Information Technology (IT) managers at
BCX of how best they can ensure their information system is secure. Luckily, these measures are
not limited to only BCX and can be used by other firms which are also experiencing of facings
the same risks as BCX in their operations.
Physical protection of a computer presents many of the same problems that arise when protecting
other valuables like typewriters, jewelry, and file cabinets. Just like a typewriter, an office
computer is something that many employees in their working environment need to access from
time to time for various purposes. As with jewelry, computers are valuable and generally easy
steal. A back up is therefore absolutely necessary. The back should be stored away from the main
data so that is the original computer is stolen, one has an extra copy of the information required.
Otherwise if the backup is stolen or destroyed along with the original data the organization will
have lost may well be irreplaceable. Therefore, there exist a need to spend valuable time and
resources to set up a replacement system. The organization must ensure that the information they
hold is well guarded lest it be used against them, for that has always been the case.
To guard against environmental hazards such as lightening, computers and computer media
should not be plugged into the wall while it is raining. This is because computer’s power supply
can be blown out if lightning strikes nearby.
Information Security-Report
Electronic devices generally require the right balance of physical and environmental conditions
to function well. Any changes to these conditions may cause your computer to fail if not taken
care of. At times the machine may keep function but produce erroneous results because of
external environmental changes.
Since computers are easily damaged by fires, BCX should ensure that there are good fireextinguishing equipments at their offices and around the place. Every employee of the company
should also be well trained of how to deal with fire out breaks. This will ensure that the damage,
just in case of any accidental fire, is not massive.
In addition, the organization should install automatic gas discharge systems and dry-pipe waterbased sprinkler systems to aid their ability to curb any accidental fires that may lead to loss of
data.
Also, since smoke is very disastrous to computer equipments due to the fact that it is a potent
abrasive and collects on the heads of unsealed tape drives, optical disks, and magnetic disks; the
organization should ensure that it erects smoke detectors in its computer rooms. Unfortunately in
this case, is the fact that computers themselves generate smoke. BCX must also ban smoking in
places where there are computer systems within its premises.
Almost every part of the planet experiences the earthquakes though the magnitudes and
intensities differ from place to place. Care must be taken not to the place computers on shelves
and bookcases in the office as this can increase the chances of the computers will surviving the
trembles. It is advisable to always place computers under tables.
Finally, the organization must restrict access to computer rooms to only those who are authorized
and store computer inside physically strong facilities. This will help in reducing vandalism and
theft of computers and subsequent loss of useful information that it holds.
Information Security-Report
For mitigating malware BCX should ensure that each of its computers has an antivirus installed
in it to avoid contamination by malware. The antivirus should be run frequently to detect and
correct any malfunction of the computers. As well, the antivirus software must be updated
regularly. The organization should then ensure periodic scan of the machines for virus detection
i.e. full scan. The mails sent out must not contain a virus that may harm the recipient.
Lastly, BCX must keep their operating system and key application software up-to-date and never
forget that virus checkers only check for infestations in files. This means that vulnerabilities in
operating systems and applications programs can leave the computers open to attack in other
ways.
As a remedy to server hacking and data leakage, this report suggests that BCX should be clearing
the cache after the session every time it uses a computer for private information on its web page.
This will help in ensuring that information does not leak into bad hands. The organization should
also consider controlling under what situation to allow cookies to be stored on computers. And in
cases when they cannot control this, they should consider not entering private information.
In a bit to ensure that its website is not hacked into, every employee of BCX should display the
web site address he or she is visiting and the address being linked to, and pay attention to them
while visiting an unfamiliar web site, especially if one is allowing the new site to execute
programs on the computers. Again, it is advisable that each member of BCX be warned against
allowing web sites to download and execute potentially malicious programs on computers unless
they know that the site is known to be trustworthy. This will help in reducing the exposure of
there website information to potentially harmful individuals who could use such information
against them on a later date for potentially malicious reasons.
Information Security-Report
This also calls for ensuring that every employee of trained on e-mail usage techniques. A few
techniques that could help protect the organization; is to avoid opening any attachment from
unknown parties unless one is very sure that it is a type of file that cannot contain malicious
code. Next is to check with the ISP ensure e-mails are checked for viruses and similar threats
before delivering the e-mails. This measure could help to avoid opening executable programs in
from e-mails which could harm the computers.
Although some individuals are directly liable to ensuring the organization’s information security,
this study finds it necessary to point out that security is everyone’s responsibility. The
organization may have otherwise excellent security, but if only one of its employees readily
gives out or resets lost passwords, or an employee let other unauthorized individual to open
secure doors with their keycards, then every effort made by others to ensure that the
organization’s information is secure is useless. Despite the robustness of a firewall system as it
may be the case, if a single employee has hardware or software that allows bypassing the
firewall, a hacker may gain to the site and modify the data in it. Any application that BCX install
on its computers must be designed to be secure; they must be developed with security issues in
mind as a priority, and must be used securely.
BCX must also ensure end user awareness on security issues, as hackers often directly target
them. Its customers should be trained on security policies on what is expected of them so that
they do not fall victims of hackers.
Importance of Continuous Improvement on Information Security
The information security maintenance has challenges of its own. Every single day programmers
are developing software some which are malicious and aimed at breaching the known ways of
protecting for instance against hacking and data leakage. Thieves and robbers on the other hand
Information Security-Report
are continually improving their tactics in order to be able to breach the measures taken by firms
to secure their premises. There is therefore a need to have a consistent and continual
improvement on the security measures put in place. BCX is no exception in this case; the
organization must continue to improve the security measures it has in place.
One of the areas that need improvement at BCX is the kind of the locks they are using to secure
premises. Day after day, more advanced locks are being invented and the organization must take
initiative to use the best and the latest technology of locking system to minimize the risk of
breakages and vandalism on its premises and computer facilities.
The organization must also maintain a dedicated group of IT experts that work together to
identify new threats to its computer software and design new ways of fighting internet crime and
computer malware. The team may also outsource knowledge with larger organization if the same
field of operation and maintain an up to date knowledge of how to deal with information security
threats in a better way.
The organization should also replace its computer hardware from time to time to be able to take
advantage of the advantages that come with using the most efficient modern computers. If these
measures are implemented continuously, then, there is no doubt that BCX will be able to
maintain high level of security for its data.
Role of disaster recovery and business continuity plans
In a situation where catastrophic events occur and the organization is not able to protect its own
data from destruction and loss, the business should not terminate. Instead, BCX should be able to
recover the data it initially held before the unfortunate occurrence. This is only possible if the
organization had initially put in place data recovery plans and equipments.
Information Security-Report
Disaster recovery is therefore very important in ensuring business continuity. BCX being an
organization that relies heavily on the computer information would come to a standstill on its
operations if substantial information pertaining its clients and customers was lost. In order to
avoid such a scenario, the organization needs to keep a back up of the data it holds as this would
ensure recovery is possible.
A financial service critically relies on the accuracy and integrity of its data about the customers
and clients. An erroneous transaction if allowed to occur would create havoc and lower the
confidence levels of the customers. This would have a massive impact on its sales as some of
customers who feel their money is not secure anymore would move to alternative companies. No
organization would like to readily experience such a scenario. Disaster recovery mechanisms if
well put in place helps to ensure integrity and accuracy of the organization’s most sensitive data
even when unfortunate situation like destructive fires and earthquakes occur.
In business continuity planning an institution considers every critical aspect of its business and
develops strategies that it will use in case of any disruptions to its information. This usually
covers a wide perspective and involves restoring information technology systems and services,
or data maintained in electronic form. This is because in case of disruption, the business would
need more than just data recovery to be able to continue with its operations. Without a business
continuity plan that considers every critical business unit, including personnel, physical work
environment, and other auxiliary issues, an institution may not be able to resume serving its
customers at acceptable levels after an unfortunate event that leads to disruption, or loss of its
data. In addition, the implementation of business continuity plans is not limited to only those
institutions that keep their own data. Organizations that outsource the majority of their data
processing, core processing, or other information technology systems or services should also
Information Security-Report
implement an appropriate business continuity plan to address their equipment and processes that
remain under their control.
Conclusion
The success of BCX and any other organization that has to keep the data relating to its clients
and customers heavily relies on the ability of the organization to maintain the integrity, validity
and accuracy of its data. Such information must be guarded against both natural harm caused by
environmental disasters and unfortunate occurrences, moral hazards and misuse. Above all,
every organization should ensure that whatever happens it will be able to continue its operations
without much fuss. This calls for preparedness and accurately planning of disaster recovery
mechanisms and carefully designing the business continuity plans to ensure they meet the set
objective. BCX must therefore review their business continuity plan to ensure that all this is
taken care of.
Recommendations
This report recommends that BCX reviews its disaster recovery and business continuity plans to
ensure that they are in line with the demands of the organization and are able to achieve the
desired results in case of data loss or disruption.
The report also recommends also reviews its information security technique to align it with the
current international standards required of organizations that hold such critical financial
information. This will ensure that it is suitably placed to handle and protect data.
Information Security-Report
References
Computer Science and Telecommunications Board, National Research Council, 2002.
Cybersecurity today and tomorrow: Pay now or pay later. Washington, D.C.: National
Academies Press.
Denning, D.E., 1998. Information warfare and security. Boston, MA: Addison-Wesley
Publishing Company.
Ellison, C. and B. Schneier, 2000. Ten risks of PKI: What you're not being told about public key
infrastructure, Computer Security Journal: 16:1, available at
http://www.schneier.com/paper-pki.pdf (September 5th , 2014).
Sadosky, G., et. al. (2003). Information Technology Security handbook, IT- Security, The
International Bank for Reconstruction and Development / The World Bank 1818 H
Street, NW Washington.
Summers, R.C., 1997. Secure computing: Threats and safeguards. Highstown, NJ: McGrawHill, Inc.
Related documents
The Rectangle Diamond Method for Factoring Trinomials
The Rectangle Diamond Method for Factoring Trinomials
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
How Cities Work - Urban Systems Collaborative
How Cities Work - Urban Systems Collaborative
General
General
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
SWOT-Analysis-Worksheet
SWOT-Analysis-Worksheet
The concept of Human Security
The concept of Human Security
MGMT 490 Firm Strategic Analysis 2007
MGMT 490 Firm Strategic Analysis 2007
CECS-478 Introduction to Computer Security
CECS-478 Introduction to Computer Security
Download
advertisement