Information Security Management Practices: Risk Assessment

Subject:	Tech & Engineering
Pages:	14
Words:	3829
Reading time:	14 min
Study level:	College

Executive summary

Risk assessment was crucial for the TSF foundation to determine the vulnerabilities and risk re-mediation techniques to ensure that the foundation’s information assets were protected against being compromised by illegitimate and unauthorised persons. An assessment of the three situations revealed different threats, vulnerabilities, and various risk impacts. It was established that the web-based information system security based on OpenSSL was vulnerable to the adverse effects of Heartbleed vulnerability, and hackers, unauthorised access to the organisation’s information systems, loss of data confidentiality, lack of management commitment to system security, and hacker activities. Some of the recommendations to mitigate the risks include top management support, application support and updates, use of public key infrastructure, use of encryption technologies, password creation and renewal policies, use of firewalls, and regular renewal of certificates and revocation through the certificate authorities.

Introduction

This an extensive risk assessment report on three cases with Sprout Foundation (TSF) that has a financial turnover of roughly AUD230 million per annum. The organisation has offices at different locations interconnected on the Internet with web enabled communication devices and some offices are remotely located because of the nature of the area of operation. According to Akintoye and MacLeod (1997), each country of operation is governed by different regulations such as data privacy laws, data protection acts, and other laws and regulations governing the distribution, sharing, and use of data (Da Veiga & Eloff 2010). The non-profit organisation’s transactions are conducted on a distributed web based platform. However, it has been established that emerging threats expose the backup because of the vulnerabilities with the systems (Sun, Srivastava & Mock 2006). In addition, the potential security breaches that happened within the payment gateway that was designed to incorporate OpenSSL being exposed to the HeartBleed vulnerability (Stoneburner, Goguen & Feringa 2002).

A review of the standards used

The three situations were best analysed using the Payment Card Industry (PCI), the Data Protection act 2014, and the National Institute of Standards and Technology (NIST) standard (Bandyopadhyay, Mykytyn & Mykytyn 1999). On the other hand, the organisation was defined in the case study as a tier-2 not-for-profit despite having some inherent characteristics that fall into tier-1 not-for-profit category (Spears & Barki 2010).

The Sprout Foundation Case Study and Emerging Problems

The suggested mitigation strategies include remote backups of data to ensure data availability in case of disasters such as those that affect the environment, adopting cloud based services for remote data storage, adopting high speed wide bandwidth data communication broadband, and educating employees on their responsibilities to safeguard the information assets that are vulnerable to external and internal information security risks. The rational for adopting the strategies was to ensure that remote data using high speed communication channels could make it available and support real time storage. Using OpenSSL vulnerabilities such as Multiblock corrupted pointer is a technical approach that could enable the confidentiality and integrity of data when being backed up.

Data availability could be by making regular backups and that could enable the institution to make the data available for auditing purposes under the Australian regulations for donor funds. The response to this incident is to opt for a cloud based back up service provider who is well established in the industry to the services is easily accessible and available when needed. Consider hot and cold backups strategies that can be done onsite because of the sensitivity of the data to ensure that access to the data is maintained when the service provider is not accessible by procuring the backup hardware and software devices. Backup critical systems in real time based on hot storage and cold storage strategies through time synchronization and transmission of data to the requisite authorities for compliance with the Australian standards for auditing instead of waiting to retrieve the data for auditing at the last minute. In addition, regular system updated could counter on OpenSSL vulnerabilities successfully.

Case Study: Emerging Heartbleed Problems-Mitigation strategies work

The mitigation strategies for TFS’s vulnerability problems include ensuring that employees do not use personal devices on organization’s information systems that could ensure data sensitive corporate data is safe, implementation of remote access controls on the sever side and client side to ensure secure data transmission because of the multiple platforms on which donor funds are transferred using the TSF-ONE corporate system. Regularly patching and updating the TSF-ONE system to address application flaws, educating employees on their roles and responsibilities to protect TFS’s information systems, identifying vendors with reliable software tools such as those used to encrypt data. Assigning privileges enables non-repudiation, authenticity, confidentiality, and integrity of data and controlled access to data by those in the management positions.

To ensure the integrity, availability, and confidentiality of data is maintained, it is worth considering using data encryption technologies to mitigate the effects of the Heartbleed problem that introduces a security vulnerability to compromise the ability to authenticate, ensure data confidentiality, data integrity, and authorization of access privileges. Encryption makes the remotely stored data be safe because those with decryption key can make legitimate access to the information. In addition, it is necessary to use the public key infrastructure and certificate keys so that confidential data can only be accessed by those authorised to do so. Certificate authorities can be revoked and cancelled and the keys can be cancelled to ensure that sensitive data is ley safe in storage. A combination of certificate authorities, public key infrastructure, and encryption technologies could make the data safe while hot and real time auditing of the data could enable the organisation to avoid a conflict with the Australian authorities.

Methodology

System characterisation

System characterisation was done to collect data to determine the conditions for each component of the TSF’s assets that provide the operational capabilities to transact on both internal and external information systems. In accordance with Halliday, Badenhorst and Von Solms (1996), software application protocols and data users were also identified ion the three cases. The TSF foundation operates on a client server environment that consists of Windows 2000 and MS SQL 2000 operating systems with the systems functioning on multiple physical locations. The TSF system’s protection was based on software and hardware firewalls, universal Threat Management Systems (UTM), and routers on the intranet. In addition, the web server security was based on OpenSSL and supports different encryption technologies because it is an inclusion of open-source implementation of the TLS and SSL protocols (Feng & Li 2011). Here several sources of threats are discussed.

People

Ericsson (2010) maintains that people are the weakest link in any information system security program and form the first line of sources of threats because of the high susceptibility to commit intentional and unintentional errors. In general, the three levels of people who interact with the information systems include the CEO, CFO, and the employees (Feng & Li 2011)

The operational environment

Functionality of the IT systems
No support technicians
Information security policies that are system specific, issues specific, and organisation specific for the different levels of threats for the TSF foundation.
The information security architecture of the TSF institution.
TSF uses an intranet for internal and external communication
Uses information systems that have built-in security products
The operational controls.

Threat identification

A threat is defined as the potential to exploit vulnerabilities within the operable TSF information system assets. According to Bahli and Rivard (2003), different sources of threats exists that need to be identified and ameliorated using a specific risk mitigation strategy.

Sources of threats

Natural threats

The sources of threats that could affect the TSF foundation include natural sources because the foundation operates in marginalised areas that are vulnerable to natural disasters such as floods, tornadoes, earthquakes, and electrical storms.

Human threats

Human sources of threats can either be internal or external to the TSF foundation. Internal human threats consist of employees who work for the foundation. External threats include the hackers, network based attacks such as denial of service attacks, attacks on the OpenSSL (Appari & Johnson 2010).

Environmental threats

According to Appari and Johnson (2010), the TSF foundation was vulnerable to environmental threats which include constant power outages because of poor electricity infrastructure and the effects of pollutants from different factories and other sources that could not be mitigated.

Technical threats

Technical threats were the result of disgruntled people within the institutions and external intruders wanting to gain unauthorised access into the information systems.

Table 2: components of risks, vulnerabilities, and threats.

Risk components	Vulnerability components	Threat components
Unauthorised access to the organisation’s network by dialling into the network Access can either be logical or physical access.	Lack of accountability identification and authentication procedures that led to identity theft, lack of system specific, and issues specific policies, and unauthorised access	Internal environment including employees and managers, software vendors, products and other third part people
Use of malicious code to gain access to financial transactions of the organisation by gaining access to online financial transactions leading to financial data breaches	Using Credit card to transfer money from the donor to the TSF funds (PCIDDS), Heartbleed actions on OpenSSL	Vulnerability in the card holder’s environment, the environment includes hackers, and terrorists, OpenSSL cryptography, missing bounds check, vulnerability exposure such as CVE-2014-0160, stealing and using security keys.
The action involved transferring funds over the network without the authority of the responsible management	TSF’s data recovery planning in the hands of new company in the market	Internal Employees or third party agents having known how backup of data was done
Exploitation of system vulnerabilities to compromise the system to access sensitive information, OpenSSL, the web based attacks such as Bugfix and deployment and compromise of X.509 certificates.	Backdoors can vendors who distribute the software with the knowledge and documentation of the software flaws within the system. Use of scans/probes/attempted access	Users not authorised to access the system or use organisational assets (e.g., hackers, Terminated workers, terrorists and Computer Criminals)
Successfully attacking and compromising the Web page of the organisation, breach confidentiality	The management and those responsible for securing the information systems were not interested in enforcing security controls. Slow action by the Federal Police, CEO, CFO, vulnerability of donor information and inaction of the executive team and backup of inaccessibility that can be used for unauthorised access	Insidious information by the partners and other stakeholders working with the TSF foundation
Data loss	Australian laws, compliance to different standards and laws of each country of operation might cause the system to be slow and lead to the breach of confidentiality. For the second case, loss of backed up data could lead to financial loss of lack of accountability where the data could be stored because of insolvency. In addition, if the bankrupt organisation sells its servers to other organisations, the confidential data of other organisations might be lost. The third case is about the Heartbleed vulnerability

Table 1: Risk assessment.

Step	Description	Inputs	Outputs
1
2	Risk analysis	Risk identification	Risk identification document
3	Characterising the system	People, Processes Technology (hardware software) Data and information CEO, CFO, Exec team, and Senior management, software vendors	Functions of the system Boundaries of the system Criticality of system and information data Data sensitivity
4	Identification of threats	Documented data from on the information security of the system such as Heartbleed hardware, software, Routers, Universal threat management systems (UTM), Firewalls, Encryption technologies , Public Key Infrastructure (PKI),.	Threat statement
5	Vulnerability Identification	Documentation of previous security assessment report, audit data, vulnerability assessments	List of vulnerabilities and risk assessment reports.
6	Control Analysis	Current controls applied based on the PCI and other regulations and standards.	Statement of existing and planned controls
7	Likelihood Determination	Threat sources and motivation to act as a threat agent and the effects on existing controls.	Rating of the potential likelihood
8	Impact Analysis	Single point of failure, Hardware Issues/Equipment Failure or loss, compromise on Integrity, Availability and Confidentiality of data in storage and on transit, system administration practises.	Impact rating statement
9	Risk Determination	The effect of the threats on the information system, effectiveness of the controls used, customer practises, inadequate application support, data disclosure.	Statement of risk levels

Risk analysis

	Risk	Risk mitigation
1	Environmental risks	Physical relocation of information systems to saver places
2	Web based risks (cross site scripting, heartBleed) on the OpenSSL cryptography library	Certificate renewal and revocation.
3	information systems inherent flaws	System patches and regular updates
4	Lack of management support and IT security skills	Training on security awareness and the need for management support
5	Remote access controls of the sever side and client side	Configuration management
6	Data availability because of service provider insolvency	Contractual agreement with the service provider, on-site and off-site backups.
7	Data loss and theft from server because of remote data storage	Employing trusted party.
8	Hardware and software failures because of natural disasters.	Cloud computing as an option
9	Internal threats from disgruntled employees	Training, policies, standards for information access and data use.
10	Data disclosure because of Australian laws	Compliance with data privacy laws, and other data protection acts and standards.
11	Inadequate technical controls such as firewalls	Installation of firewalls and antimalware programs.
12	Loss of data because of remote service provider failure to offer services.	Considering cloud computing solutions
13	Stakeholder dissatisfaction	Assurance of Compliance with information security standards such as PCISS
14	Non-repudiation, authenticity and identification problems because of lack of validation and verification procedures when accessing system resources	Incorporate the sue of validation and verification checks
15	Lack of operational issues specific, system specific, and organisation IT security policies	Clarification of IT security policies and requirements for compliance
16	OpenSSL vulnerabilities such as Multiblock corrupted pointer,	Encryption of data on transit.
17	Phishing	Information security policy
18	Lack of effective password user policies (alphanumeric)	Password use policy (combination of upper case, and alphanumeric and regularly change the passwords)
19	Cross site scripting such as User accounts being stolen, credentials misused, keystroke logging, content theft, visitor browser stealing, sever bandwidth use, data theft	Create and implement data protection and application use polices, Interface and API, additional hardware installation
20	Web server running compromise	Limit use of web server, authenticate users, access control lists, and Secure Sockets Layer (SSL), and use appropriate ports.
21	Patches to correct flaws in operating system software not installed.	Regular patches and updates.
22	Remote access to server console not properly monitored	Set remote access to the right configurations.
23	Internal access to server	Contractual agreement with the remote service provider
24	System administration practises not defined
25	Poor Physical Security	Implement physical controls
26	Loss of documentation software-compromising confidentiality and integrity of data	Safe storage of documentation
27	Inadequate system logging (event and system use information lacking),
28	Lack of encryption and keys	Use encryption technologies and public key infrastructure (PKI) for key generation.
29	No clear segregation of duties	Assign roles and responsibilities to ensure mitigation strategies are dedicated to a specific role
30	Inadequate Applications Support	Benchmark of quality, use best practices to procure software from known vendors.

Risk control

Risk controls are an approach that is fundamental in securing an information system. Controls are necessary to ensure practises are in place to mitigate the risks for the three situations that were encountered by TSF foundation.

Table 3: Risk controls strategies.

Vulnerability	Threats	Existing controls	Additional actions to reduce threats
Lack of accountability, identification and authentication procedures leading to identity theft. Lacking system specific, and issues specific policies.	Internal environment such as TSF employees	None	Educate users to account for donor funds, use of public key infrastructure, and avoidance of behaviour that could encourage people to act as the source of threats.
Using Credit card to transfer money from the donor to the TSF funds(PCIDDS), Heartbleed actions on OpenSSL	The environment includes hackers, and terrorists. OpenSSL cryptography, missing bounds check, vulnerability exposure such as CVE-2014-0160, stealing and using security keys.	Use of OpenSSL, use of firewalls on the network, and Universal Threat Management system (UTM), and other application level controls	Educating people on information security awareness
Different regulatory requirements, information security standards	Dissatisfied employees, unskilled employees	None Reactive management instead of being proactive.	Train the employees and the management of different laws, standards for data protection, privacy, and how to react or respond to suspicious activities.
New programs for the improvement of the communities	Vendors, stakeholders, and partners with TSF.	Limited roles of the organisation and responsibility lies with the target organisation	Accountability, non-repudiation, and reliable reporting.
A management that is reactive to incidents such as the news of the insolvency of the remote service provider or data backup services and the new	Unauthorized users (e.g., hackers, terminated employees, computer criminals, terrorists)	None	Consider using the Public Key Infrastructure (PKI), use of a Secure Reverse Proxy Solution, use of a single location to manage the keys, ensuring secure storage of keys, ensuring that memory bound are used to ensure system security, use of a single location to re-mediate issues, and using secure gateways for each system user. Patch OpenSSL libraries, generate both private and public keys, issue advisories, and ensure that X.509 revocation checks are applied on all servers.
Use of personal computing and memory devices.	Employees and third parties who have access to the information systems	None	Write a policy that prohibits the use of external devices and memory sticks without the authority of the management.
Funds transfer using credit cards	computer criminals, and disgruntled employees.	Enabled financial transactions on the web, with security enforced using OpenSSL rules.	Compliance required for the card with PCISSS, create a certificate authority, generate server certificates and validate the trusts to ensure authentic communication.
A different company used for recovery of TSF data, backup inaccessibility, and reactive remediation.	Employees who belong to the non-profit organisation, vendors, and backdoors, and malicious code.	Off-site data back pups done regularly in every 30 days.	Should consider cloud services and frequent data backups on off-site sites.
Failure to apply new system and application patches	Unauthorized users (e.g., hackers, terminated employees, computer criminals, terrorists)	None	Appropriate to implement security controls such as patching the systems with new updates.

Control analysis

Controls analysis deals with an analysis of the threat levels and the impact each threat could have on the assets of the TSF non-profit foundation. The IT Security Roles & Responsibilities have not been clearly outlined because when the threat on the OpenSSL happened, the response was reactive from the management. In addition, there is lack of data classification on confidential data such as passwords and credit cards.

Level	Likelihood Definition
High	When the threat is high
Moderate	A moderate threat is one that can be ameliorated using current security controls.
Low	The threats source does not have the potential to cause harm.

Impact analysis

Table 4. Magnitude of Impact Definitions for Sprout Foundation.

Risk No.	Risk Summary	Risk Impact	Risk Impact Rating
1	Compromised confidentiality, integrity and availability of data	Disclosing information without being authorised to do so	High
2	Exploitation of the flaws inherent in OpenSSL	Using the HeartBleed vulnerability exploitation	High
3	Remote access by carrying out financial transaction services on the web.	Unauthorized disclosure and modification of data.	High
4	Successfully compromise the firewalls and anti-malware programs	Leading to illegitimate access and unauthorized disclosure of information.	High
5	Data loss because of server access or unavailability.	Leading to illegitimate access and unauthorized disclosure of information.	High
6	Hardware Issues/Equipment Failure or loss	Leading to illegitimate access and unauthorized disclosure of information.	Low
7	Single Point of Failure	Because of compromised website, defaced website.	Low
8	Lack of information system administration capabilities	Leading to illegitimate access and unauthorized disclosure of information.	Low
9	Overdependence on the key person	Poor system support	Lo
10	Critical documentation lost because of remote server unavailability	Confidentiality and integrity of corporate data could be compromised.	Low
11	Clear Text Transmission of Critical Data	Confidentiality of corporate data could be compromised.	Low

Risk Determination

Web based communication in the presence of the OpenSSL enabled pages.
Accounting for funds
Conducting financial transactions on mobile devices
Overhaul of the system
Storage of data on third party servers
Unavailability of information because of insolvency of the service provider

Risk Analysis Report

	Risk	Impact	Controls in place (Yes-Y, No-N)	Recommendation
1	Environmental risks	H	Y	Implement policy
2	Web based risks (cross site scripting, heartBleed) on the OpenSSL cryptography library	H	N	Certificate renewal and revocation.
3	Flaws in the information systems	M	N	System patches and regular updates
4	Lack of management support and IT security skills	H	N	Training on security awareness and the need for management support
5	Remote access controls of the sever side and client side	H	N	Configuration management
6	Data availability because of service provider insolvency	M	N	Contractual agreement with the service provider, on-site and off-site backups.
7	Data loss and theft from server because of remote data storage	L	N	Employing trusted party.
8	Hardware and software failures because of natural disasters.	L	N	Cloud computing option
9	Internal threats	H	Y	Training, policies, standards for information access and data use.
10	Data disclosure because of Australian laws	M	Y	Compliance with data privacy laws, and other data protection acts and
11	Inadequate technical controls such as firewalls	M	N	Installation of firewalls and anti-malware programs.
12	Loss of data because of remote service provider failure to offer services.	H	N	Considering cloud computing solutions
13	Stakeholder dissatisfaction	M	N	Assurance of Compliance with information security standards such as PCISS
14	Non-repudiation, authenticity and identification problems because of lack of validation and verification procedures when accessing system resources	M	Y	Incorporate the sue of validation and verification checks
15	Lack of operational issues specific, system specific, and organisation IT security policies	H	N	Clarification of IT security policies and requirements for compliance
16	OpenSSL vulnerabilities such as Multiblock corrupted pointer	H	N	Encryption of data on transit.
17	Hackers	H	N
18	Lack of effective password user policies (alphanumeric)	H	Y	Password use policy (combination of upper case, and alphanumeric and regularly change the passwords)
19	Cross site scripting such as User accounts being stolen, credentials misused, keystroke logging, content theft, visitor browser stealing, sever bandwidth use, data theft	H	N	Use API policies
20	Web server running compromise	M	N	Use standard authentication methods
21	Patches to correct flaws in operating system software not installed.	M	N	Patches and updates
22	Remote access to server console not properly monitored	M	Y	Configure system properly
23	Internal access to server	H	N	Contractual agreement with the remote service provider
24	System administration practises not defined	M	N	Teach system administration skills
25	Poor Physical Security	M	Y	Implement physical controls
26	Loss of documentation software-compromising confidentiality and integrity of data	H	N	Safe storage of documentation
27	Inadequate system logging (event and system use information lacking),	M	N	Use Log management system
28	Lack of encryption keys	M	N	Encryption keys
29	No clear segregation of duties	M	Y	Assign dedicated roles
30	Inadequate Applications Support	M	N	Update vendor software

References

Akintoye, A S & MacLeod, M J 1997 ‘Risk analysis and management in construction’, International journal of project management, vol. 1, no. 15, pp. 31-38

Appari, A & Johnson, M E 2010, ‘Information security and privacy in healthcare: current state of research’, International journal of Internet and enterprise management,’ vol. 4, no. 6, pp. 279-314.

Bahli, B & Rivard, S 2003, ‘The information technology outsourcing risk: a transaction cost and agency theory‐based perspective’, Journal of Information Technology, vol. 3, no. 18, pp. 211-221.

Bandyopadhyay, K, Mykytyn, P P & Mykytyn, K 1999,’ A framework for integrated risk management in information technology’, Management Decision, vol. 5, no. 37, pp. 437-445.

Da Veiga, A & Eloff, J H 2010, ‘A framework and assessment instrument for information security culture’, Computers & Security, vol. 2, no, 29, pp. 196-207.

Feng, N & Li, M 2011, ‘An information systems security risk assessment model under uncertain environment’, Applied Soft Computing, vol. 7, no. 11, pp. 4332-4340.

Halliday, S, Badenhorst, K. & Von Solms, R 1996, ‘A business approach to effective information technology risk analysis and management’, Information Management & Computer Security, vol. 1, no. 4, pp. 19-31.

Spears, J L & Barki, H 2010, ‘User participation in information systems security risk management’, MIS quarterly, vol. 3, no. 34, pp. 503-522

Stoneburner, G, Goguen, A. & Feringa, A 2002, ‘Risk management guide for information technology systems’, Nist special publication, vol. 30, no. 800, pp. 800-30.

Sun, L, Srivastava, R P & Mock, T J 2006, ‘An information systems security risk assessment model under the Dempster-Shafer theory of belief functions’, Journal of Management Information Systems, vol. 4, no. 22, pp. 109-142.