Executive summary
Risk assessment was crucial for the TSF foundation to determine the vulnerabilities and risk re-mediation techniques to ensure that the foundation’s information assets were protected against being compromised by illegitimate and unauthorised persons. An assessment of the three situations revealed different threats, vulnerabilities, and various risk impacts. It was established that the web-based information system security based on OpenSSL was vulnerable to the adverse effects of Heartbleed vulnerability, and hackers, unauthorised access to the organisation’s information systems, loss of data confidentiality, lack of management commitment to system security, and hacker activities. Some of the recommendations to mitigate the risks include top management support, application support and updates, use of public key infrastructure, use of encryption technologies, password creation and renewal policies, use of firewalls, and regular renewal of certificates and revocation through the certificate authorities.
Introduction
This an extensive risk assessment report on three cases with Sprout Foundation (TSF) that has a financial turnover of roughly AUD230 million per annum. The organisation has offices at different locations interconnected on the Internet with web enabled communication devices and some offices are remotely located because of the nature of the area of operation. According to Akintoye and MacLeod (1997), each country of operation is governed by different regulations such as data privacy laws, data protection acts, and other laws and regulations governing the distribution, sharing, and use of data (Da Veiga & Eloff 2010). The non-profit organisation’s transactions are conducted on a distributed web based platform. However, it has been established that emerging threats expose the backup because of the vulnerabilities with the systems (Sun, Srivastava & Mock 2006). In addition, the potential security breaches that happened within the payment gateway that was designed to incorporate OpenSSL being exposed to the HeartBleed vulnerability (Stoneburner, Goguen & Feringa 2002).
A review of the standards used
The three situations were best analysed using the Payment Card Industry (PCI), the Data Protection act 2014, and the National Institute of Standards and Technology (NIST) standard (Bandyopadhyay, Mykytyn & Mykytyn 1999). On the other hand, the organisation was defined in the case study as a tier-2 not-for-profit despite having some inherent characteristics that fall into tier-1 not-for-profit category (Spears & Barki 2010).
The Sprout Foundation Case Study and Emerging Problems
The suggested mitigation strategies include remote backups of data to ensure data availability in case of disasters such as those that affect the environment, adopting cloud based services for remote data storage, adopting high speed wide bandwidth data communication broadband, and educating employees on their responsibilities to safeguard the information assets that are vulnerable to external and internal information security risks. The rational for adopting the strategies was to ensure that remote data using high speed communication channels could make it available and support real time storage. Using OpenSSL vulnerabilities such as Multiblock corrupted pointer is a technical approach that could enable the confidentiality and integrity of data when being backed up.
Data availability could be by making regular backups and that could enable the institution to make the data available for auditing purposes under the Australian regulations for donor funds. The response to this incident is to opt for a cloud based back up service provider who is well established in the industry to the services is easily accessible and available when needed. Consider hot and cold backups strategies that can be done onsite because of the sensitivity of the data to ensure that access to the data is maintained when the service provider is not accessible by procuring the backup hardware and software devices. Backup critical systems in real time based on hot storage and cold storage strategies through time synchronization and transmission of data to the requisite authorities for compliance with the Australian standards for auditing instead of waiting to retrieve the data for auditing at the last minute. In addition, regular system updated could counter on OpenSSL vulnerabilities successfully.
Case Study: Emerging Heartbleed Problems-Mitigation strategies work
The mitigation strategies for TFS’s vulnerability problems include ensuring that employees do not use personal devices on organization’s information systems that could ensure data sensitive corporate data is safe, implementation of remote access controls on the sever side and client side to ensure secure data transmission because of the multiple platforms on which donor funds are transferred using the TSF-ONE corporate system. Regularly patching and updating the TSF-ONE system to address application flaws, educating employees on their roles and responsibilities to protect TFS’s information systems, identifying vendors with reliable software tools such as those used to encrypt data. Assigning privileges enables non-repudiation, authenticity, confidentiality, and integrity of data and controlled access to data by those in the management positions.
To ensure the integrity, availability, and confidentiality of data is maintained, it is worth considering using data encryption technologies to mitigate the effects of the Heartbleed problem that introduces a security vulnerability to compromise the ability to authenticate, ensure data confidentiality, data integrity, and authorization of access privileges. Encryption makes the remotely stored data be safe because those with decryption key can make legitimate access to the information. In addition, it is necessary to use the public key infrastructure and certificate keys so that confidential data can only be accessed by those authorised to do so. Certificate authorities can be revoked and cancelled and the keys can be cancelled to ensure that sensitive data is ley safe in storage. A combination of certificate authorities, public key infrastructure, and encryption technologies could make the data safe while hot and real time auditing of the data could enable the organisation to avoid a conflict with the Australian authorities.
Methodology
System characterisation
System characterisation was done to collect data to determine the conditions for each component of the TSF’s assets that provide the operational capabilities to transact on both internal and external information systems. In accordance with Halliday, Badenhorst and Von Solms (1996), software application protocols and data users were also identified ion the three cases. The TSF foundation operates on a client server environment that consists of Windows 2000 and MS SQL 2000 operating systems with the systems functioning on multiple physical locations. The TSF system’s protection was based on software and hardware firewalls, universal Threat Management Systems (UTM), and routers on the intranet. In addition, the web server security was based on OpenSSL and supports different encryption technologies because it is an inclusion of open-source implementation of the TLS and SSL protocols (Feng & Li 2011). Here several sources of threats are discussed.
People
Ericsson (2010) maintains that people are the weakest link in any information system security program and form the first line of sources of threats because of the high susceptibility to commit intentional and unintentional errors. In general, the three levels of people who interact with the information systems include the CEO, CFO, and the employees (Feng & Li 2011)
The operational environment
- Functionality of the IT systems
- No support technicians
- Information security policies that are system specific, issues specific, and organisation specific for the different levels of threats for the TSF foundation.
- The information security architecture of the TSF institution.
- TSF uses an intranet for internal and external communication
- Uses information systems that have built-in security products
- The operational controls.
Threat identification
A threat is defined as the potential to exploit vulnerabilities within the operable TSF information system assets. According to Bahli and Rivard (2003), different sources of threats exists that need to be identified and ameliorated using a specific risk mitigation strategy.
Sources of threats
Natural threats
The sources of threats that could affect the TSF foundation include natural sources because the foundation operates in marginalised areas that are vulnerable to natural disasters such as floods, tornadoes, earthquakes, and electrical storms.
Human threats
Human sources of threats can either be internal or external to the TSF foundation. Internal human threats consist of employees who work for the foundation. External threats include the hackers, network based attacks such as denial of service attacks, attacks on the OpenSSL (Appari & Johnson 2010).
Environmental threats
According to Appari and Johnson (2010), the TSF foundation was vulnerable to environmental threats which include constant power outages because of poor electricity infrastructure and the effects of pollutants from different factories and other sources that could not be mitigated.
Technical threats
Technical threats were the result of disgruntled people within the institutions and external intruders wanting to gain unauthorised access into the information systems.
Table 2: components of risks, vulnerabilities, and threats.
Table 1: Risk assessment.
Risk analysis
Risk control
Risk controls are an approach that is fundamental in securing an information system. Controls are necessary to ensure practises are in place to mitigate the risks for the three situations that were encountered by TSF foundation.
Table 3: Risk controls strategies.
Control analysis
Controls analysis deals with an analysis of the threat levels and the impact each threat could have on the assets of the TSF non-profit foundation. The IT Security Roles & Responsibilities have not been clearly outlined because when the threat on the OpenSSL happened, the response was reactive from the management. In addition, there is lack of data classification on confidential data such as passwords and credit cards.
Impact analysis
Table 4. Magnitude of Impact Definitions for Sprout Foundation.
Risk Determination
- Web based communication in the presence of the OpenSSL enabled pages.
- Accounting for funds
- Conducting financial transactions on mobile devices
- Overhaul of the system
- Storage of data on third party servers
- Unavailability of information because of insolvency of the service provider
Risk Analysis Report
References
Akintoye, A S & MacLeod, M J 1997 ‘Risk analysis and management in construction’, International journal of project management, vol. 1, no. 15, pp. 31-38
Appari, A & Johnson, M E 2010, ‘Information security and privacy in healthcare: current state of research’, International journal of Internet and enterprise management,’ vol. 4, no. 6, pp. 279-314.
Bahli, B & Rivard, S 2003, ‘The information technology outsourcing risk: a transaction cost and agency theory‐based perspective’, Journal of Information Technology, vol. 3, no. 18, pp. 211-221.
Bandyopadhyay, K, Mykytyn, P P & Mykytyn, K 1999,’ A framework for integrated risk management in information technology’, Management Decision, vol. 5, no. 37, pp. 437-445.
Da Veiga, A & Eloff, J H 2010, ‘A framework and assessment instrument for information security culture’, Computers & Security, vol. 2, no, 29, pp. 196-207.
Feng, N & Li, M 2011, ‘An information systems security risk assessment model under uncertain environment’, Applied Soft Computing, vol. 7, no. 11, pp. 4332-4340.
Halliday, S, Badenhorst, K. & Von Solms, R 1996, ‘A business approach to effective information technology risk analysis and management’, Information Management & Computer Security, vol. 1, no. 4, pp. 19-31.
Spears, J L & Barki, H 2010, ‘User participation in information systems security risk management’, MIS quarterly, vol. 3, no. 34, pp. 503-522
Stoneburner, G, Goguen, A. & Feringa, A 2002, ‘Risk management guide for information technology systems’, Nist special publication, vol. 30, no. 800, pp. 800-30.
Sun, L, Srivastava, R P & Mock, T J 2006, ‘An information systems security risk assessment model under the Dempster-Shafer theory of belief functions’, Journal of Management Information Systems, vol. 4, no. 22, pp. 109-142.