This report is a derivative of security self-assessment based on the National Institute of Standards and Technology (NIST) special publication 800-26 (SP 800-26) (Swanson). The organization being assessed is an electronics and computer manufacturer’s technical support division technical and physical controls to support the information technology security. We will refer to this organization as Tech Inc. , which is a fictitious name for this company. The support facility is one of three facilities. One located in Canada, another in India, and the chief facility located within the state of Florida.
It employs approximately 700 personnel. The hierarchal structure of management is as follows: a vice president, executive managers, floor managers, supervisors, and the technical employees. All three facilities are connected together through the internet, and the Florida facility, being the main facility, houses the database and all propriety software worth protecting, as well as customers and employee’s data. Organizational Reliance on IT. IT is the heart of this organization; it is a part of their products and thus very valuable.
Employees answer customer’s questions and solve their software problems based on information from Expert Solution (ES), which is proprietary software that saves solutions in a database. The importance of ES is that if the employee does not have access to the database or it is corrupted, and then customer’s computer must be shipped to be repaired at a facility in California. This process cost much more than if the customer could perform the simple repair on their own, other costs are the inconvenience of the time for repair to the customer and the organization’s reputation.
Area of study included in Assessment The following areas were included in the assessment: Risk Management, Review of security controls, Life cycle, Authorize processing, System security plan, Personal security, Physical and environmental protection, Production input/output controls, Contingency plan, Hardware and system software maintenance, Data integrity, Documentation, Security awareness Training and Education, Incident response capability, Identification and authentication, Logical access controls, Audit trails.
Risk Management The organization already has policy and procedures in place for risk management. The plan is fully documented on the form of documents available that mentions risk management plan components. Threats are identified as manmade and natural; there is a great deal of emphasis on the natural threats, since the state of Florida is plagued with tornados and hurricanes as part of its natural phenomena.
Internal and external vulnerabilities are listed and required to be tested periodically; so new vulnerabilities can be updates as many are eliminated and unknown ones are added. Security’s controls are listed and reviewed periodically. This is mostly internal issue with less dependence on external consultants, rather there are internal security professionals, which are qualified and certified to perform these tasks preferentially. Security’s controls are logical and physical control; those controls are stringent and are taken seriously all the time with no exception to the rules.
Security’s controls are discussed with individuals at the time of employment and are explained to new hire; a scenario is mention during every training session that if the vice president forgets his card (required to enter facility); he will not be allowed on premises to work until he can present it. Security’s controls are tested all the time, and there are periodical testing for these controls, including evacuation of building is done every ninety days during idles time.
A full contingency plan is in place that takes effect in case of emergency that includes anything from an incident response to a full-scale business continuity plan. People As mentioned earlier the organizational hierarchal structure plays an important role for the information security, the decision starts from the Chief Information Officer (CIO), then it is taken to the Information Security Officer (ISO), then it goes to the line to managers and network administrators and other security employees. People are probably the weakest link in this organization’s security system.
It all starts at the hiring point, where every employee’s background is checked as well as substance abuse. Then is the training period, where new employees must take thirty-day training, the training includes the usual job training but also includes security briefings, as what to do and what not to do, finally the policy is reviewed with new hires, and they must sign it to acknowledge policy. Policy is enforced all the time and there is a full investigation for any employee who violates policy and procedure, which may or may not lead to disciplinary action or dismissal from the organization.
There is not any periodic security training for employees other than the initial training at the time of hire; some employees have been working at the same facility for a year, which may indicate a problem that needs to be addressed. This lack of employee security updates might be the highest vulnerability and threat at same time I could identify. There are periodical meetings about one every ninety days to remind employees about ethical and unethical behavior, and they are encouraged to report any illegal or unethical behavior. Process A security process is put in place to support policy.
Great deal of the process is designed alongside of the technology part, so they complement each other. Employees must use security measures to enter the facility, to log onto a computer, to use the company phone system. Every activity of an employee is logged and kept until it is destroyed. Every call between employees regarding business activity is secured and all messages are encrypted. Employees are allowed to enter the facility only few minutes before their shift start, and must leave few minutes after their shift ends. Every employee must take at least one-week vacation.
The organization’s security philosophy is to give the minimum clearance possible, to allow employees to perform their daily tasks at the allowable time. Most tasks can be performed by several people, so no activity depends on one person. Visitors are not allowed to wonder as they pleased, but they have to be escorted in and out of the facility. There are signs on all doors that precisely state who is authorized to enter that specific room. Information about a new product is not released to employees before it is publicly announced through the media and their website.
The major website that is reviewed by the public is not within the intranet, but resides in a network by itself. Mobile devices such as smart phones are allowed in but are not granted any connection to the company’s internet; however, other major mobile devices, such as mobile computers are not allowed in the facility, employees must surrender any such device on the entrance, and they can retrieve it on the way out. Technology There are several technologies used to secure the facility in general and information, in particular.
There are physical barriers used such as a firewall that does not allow traffic in or out, unless it is identified as safe traffic, proxy servers are used also to make sure that all traffic is safe. The facility as we noted earlier is connected to other facilities, and share the same information such as customer information and ES to support customers. Every employee has an internal identification number (ID), and every employee has their own computer system, there are a unique user name and password for each employee.
The password must be changed every thirty days, and it must be at least eight characters with at capital letter, small letter, numbers and special character. Every employee issued a card required to enter the facility and to open any door inside the facility. Phone system has a login procedure that employee must sign in to the system to make a phone call. Private phones are provided to make a local call that is not monitored; however, it only can be used in the cafeteria. The connection to ES is only internal through the intranet. All other facilities outside the United States have access to this intranet.
Access to the internet is allowed but monitored closely. All traffic through the internet is filtered and has to go through proxy, only business-related sites are allowed to be visited. Security’s cameras are located throughout the facility, and it is monitored by security individuals. All networks are protected and tested for any open ports, vulnerability, threats, or abuse. Every system had antivirus software that is updated automatically. All computers receive their updates automatically or through an administrator. All applications are secured, and all messages are encrypted in all stages.
By far, the technology used to secure information of this organization is a state of the art. It is the strongest link in their information security system, and it is updated periodically. Conclusion and recommendation In conclusion, the organization depends on technology the most, but they depend upon other factors such as policy and procedure. People are trained to comply with policy but there is lacking on continues security training; therefore, it is recommended that the company should develop a security training and awareness program to keep employees more vigilant about current threats.