Security_Assessment

To: JMZ Senior Management From: XXXXXX Date: March 5, 2011 Re: Security Risk Assessment Security Assessment Findings The purpose of this memorandum is to provide our senior management with a security risk assessment of the JMZ Adventure Ecotours network and systems. Management may also use this memo as a guide to prioritize our approach to mitigating security risks. Our company data, our network, and the systems are the most valuable assets of our organization. It is the responsibility of our management team to provide adequate security of these assets. This security assessment lists the top nine vulnerabilities that should be considered by our management team as the most likely to happen with the greatest cost to our organization. This list includes damage to our company reputation/loss of business opportunities, threats from hackers, sabotage by employees, force majeure or acts of God, embezzlement, virus attacks, data loss, improper use by employees and user errors. The majority of these are primarily cause by people, which is part of security defenses and they are our first line of defense. People are the key to our defenses. By no means is this list a complete list. There are other vulnerabilities that still should be addressed at some point later in time. Some of the other vulnerabilities include servers not configured properly, SPAM, spoofing, denial of service and brute force attacks. Vulnerabilities The following is a table that represents the data found by the security assessment. The charts below show the probability of occurrence of each exposure, the average loss, and expected potential loss of each exposure. The chart also graphically identifies the expected potential losses, by exposure.   | Exposure | Probability of Occurrence | Average Loss per Occurrence | Expected Potential Loss | 1 | Damaged company reputation/ loss of business opportunities | 75% | $ 200,000.00 | $ 150,000.00 | 2 | Threats from Hackers | 80% | $ 75,000.00 | $ 60,000.00 | 3 | Sabotage | 35% | $ 100,000.00 | $ 35,000.00 | 4 | Force Majeure or Acts of God | 15% | $ 200,000.00 | $ 30,000.00 | 5 | Embezzlement | 10% | $ 150,000.00 | $ 15,000.00 | 6 | Virus Attacks | 40% | $ 35,000.00 | $ 14,000.00 | 7 | Data Loss | 20% | $ 65,000.00 | $ 13,000.00 | 8 | Improper Use by Employees | 45% | $ 15,000.00 | $ 6,750.00 | 9 | User Errors | 75% | $ 5,500.00 | $ 4,125.00 | Average Probability of Occurrence | Average Loss per Occurrence | 44% | $ 36,431 |   | This chart lists the nine threats and the probability of occurrence listed as a percentage. The threat from hackers has the highest probability of occurring. There is an arsenal of tools that hackers are using today including clickjacking, fake surveys, rogue applications and spear phishing. The recent addition of expanded web sites featuring links to partnering web sites for many of the locations in Costa Rica our site has an increased chance of being hacked. Although this is listed with the highest probability of occurring, the most important threat here is damage to our company image and the potential for loss of business because of the damage. The threats with the greatest probability of occurrence are emphasized using the red arrows. The second chart lists the nine threats and the amount of monetary damage that the company could expect to see if one of these threats were to actually happen. It is important to point out that the damage to the company’s reputation may be caused by several of the other threats, and some that may not have made the list. The next section of this memo outlines what our company can do to prevent the possibility of the threat from occurring. Keep in mind some risks and threats cannot be fully mitigated. It is our responsibility to reduce the risk or threat to acceptable levels that our senior management team will accept. Additional protective measures may be necessary to implement in order to achieve this goal. The threats with the greatest potential of loss of money are highlighted using the red arrows. The three greatest vulnerabilities and risk exposures are listed first because of their importance, their probability of occurring and the cost of recovering from them. The table provided shows the statistical and financial losses. The three most important threats are highlighted in yellow to bring attention to their importance. Below each of the nine threats are presented with recommendations on how the company can reduce the threats. Damage to the Company’s Reputation The first of the three is damage to the company reputation and the loss of business opportunities resulting from the damage. This can be caused by several other threats including virus attacks, data loss, and sabotage by employees. This is the greatest risk to the company because of the amount of business JMZ is conducting through the Internet. JMZ’s web sites are the primary source of income, if customers don’t trust JMZ’s ability to protect their information or protect them from harm; the company will lose their customer base and the company. The three highest threats are emphasized in both charts using the red arrows. The company should implement several policies to protect company from employee wrongdoing. The company needs to implement a solid security plan, a disaster recovery plan that outlines what to do when the company is faced with corporate image damage. A business continuity plan that identifies the organizations exposure to internal and external threats, and provides prevention and recovery if one of these threats is successfully launched against the company is imperative. Acceptable usage policies, for company resources such as email, Internet and equipment should be executed immediately. Monitoring tools, security logs and auditing should become the standard practices of JMZ to reduce the risk. JMZ should implement a social media policy to protect the company image from damage on sites such as Facebook, MySpace or any other social networking site. Threats from Hackers The second greatest threat to JMZ is threats from hackers. JMZ has recently added links to partnering Web sites for many of the locations in Costa Rica. The company needs to change the technology defenses to protect the company against hackers. JMZ needs to review the web sites for any scripts running and keep them up to date. The information technology team should invest in secure sockets layer, the standard security technology for establishing encrypted links between the web servers and the customers’ browser. It will protect JMZ against spoofing, session hijacking, identity theft and eavesdropping. The web designers need to take precautions and beef up security on the web servers. Furthermore, they can also check permissions of uploaded files, remove unnecessary files, keep the library and scripts up to date, and protect the source code from theft. Be sure to implement a good password policy that will help reduce the amount of passwords from being cracked. Hackers also like to take advantage of bugs and loopholes, so be sure to keep all of the software updated, including the operating system software. Sabotage by Employees The third greatest threat to the company is sabotage by the employees. Because the employees, including the IT staff have access to the critical data and company information, JMZ runs a risk of this data being compromised by the staff or a rogue employee. These saboteurs could literally clean JMZ out. The company must take certain precautions against this type of threat. The statistics are quite high with regards to computer systems break-ins done by disgruntled employees. Law enforcement officials estimate this number to be as high as sixty percent. JMZ can reduce this threat by having a reliable back up plan in place. The company should also consider having a disaster recovery plan and a business continuity plan put into place as soon as possible. The company should also invest in software and hardware monitoring tools to protect against saboteurs. Force Majeure or Acts of God JMZ can never erase this threat. However, the company can reduce the impact that this threat is likely to cause. The company can reduce downtime, lost revenue, losing employees to the disaster, by having a disaster recovery plan and a business continuity plan. As mentioned before the company should have a data backup plan that has data backed up in two separate locations just in case the disaster affects the same area that the headquarters is located in. The company may consider investing into a failover systems to protect against power outages, surges, and brown outs. The servers should have redundancy built into them to protect against hard drives failing. Depending on the budget, JMZ may also consider a hot site or warm site in the case of a fire to keep the business running. Embezzlement JMZ can control and minimize the amount of theft and embezzlement. The company could lose tens of thousands of dollars by employees stealing funds. Embezzlers could take advantage of any weak spot in our system. The result could mean the closure of our business. We need to be diligent and establish internal controls to guard against theft. There needs to be clear guidelines to our employees that no one person will have control of any one accounting process. Any employee handling transactions should be provided explanations and made aware of that there will be more than one person handling transactions so that not one employee is responsible for all aspects of a transaction. JMZ may want to consider enhancing our pre-employment screening by checking our staff’s references and criminal history as a precursor to hiring employees. We may also consider doing a credit check as well. Each year billions of dollars are lost from worker theft, fraud and embezzlement. Our internal processes should be changed so that backups are done daily but not by the same person. Furthermore, we should keep unused checks locked up, verifying that all check numbers are accounted for. A process should be established and followed by all employees writing checks. One final note we may consider having an independent accountant that is not part of JMZ Adventure Ecotours, audit our company’s monthly balance sheets. Virus Attacks Virus attacks could bring the business to a complete stop. The company can lose thousands of dollars for each day the system is down due to a virus outbreak. Data could be lost, the company could be faced with down time or losses of business because of the web sites are down due to a virus attack. JMZ can reduce the risk of a virus attack by having up-to-date anti-virus software. The software should check periodically for virus definitions and constantly update the software against the latest malware. The company should also consider having anti-virus software for the e-mail. This is a great countermeasure against viruses. The software prevents the viruses from ever getting onto a server by reviewing the e-mail before it hits the server. JMZ should establish a security policy for all users to comply with, including a provision against downloading software from the Internet and scanning all files before they are put onto any host to help avoid virus attacks. Data Loss Data loss could have a big impact on JMZ. The data being stored on JMZ systems must be protected against theft, loss and unauthorized access. The best way for JMZ to protect the company from data loss is by having the data backed up properly outlined within the disaster recovery plan. The company should also limit the permissions for every employee so that employees cannot delete data outside of their own work environment. Having a good password policy will also help ensure those authorized to view the data are allowed to view the data. User identities and data access rights can be managed using Active Directory. JMZ should also devise a data classification plan that helps identify data that may be sensitive, or not sensitive. Customer data such as credit card information, address, and phone numbers are considered sensitive data. Sensitive data should be encrypted to protect it against theft or from a hacker that may have stolen the data in an attempt to reuse it or sell the data to a third party. JMZ may also consider implementing a software solution such as RSA’s Data Loss Prevention. This solution automates the process of locating sensitive data and applying the appropriate protections to that data. This automation provides greater efficiency and frees up personnel resources. It also provides a greater level of protection for sensitive data. Improper Use by Employees Improper use by employees can cause data loss, damage to company reputation, down time and a loss of production time. As mentioned before JMZ should have an Acceptable Usage Policy put into place to protect the company from improper use. The company should also consider a training program that helps the employees understand their actions and how they affect the company and the consequences for doing so. Having monitoring software in place and educating the employees on the software and its capabilities may also help deter inappropriate use of company resources. User Errors User errors can cause minor problems and they can cause major problems. User errors require a great deal of technical assistance that costs JMZ a considerable amount of money. Once again the employees need training to help them understand how their negligence or unintentional error can cause major problems. People are the first line of defense against errors. Helping them understand how they can avoid common mistakes will help reduce user errors. Employees should be trained to contact support staff when they see a problem. Employees should also give the system they are working on their full attention because in many cases the problem is caused by the user being distracted. The company may consider using screen tips that help the user understand what is wrong. It will help the user fix the problem and prevent them in the future. JMZ can implement ghosting technology that will reset the system in the event of a user error that renders the machine useless. The company may also consider using thin clients that are diskless, and have no USB ports, and no CD/DVD bay. This will help reduce the amount of user errors. Final Recommendations The goal of this memo was to identify emerging threats to JMZ’s web sites, network and systems and to analyze the financial impact on the company. These recommendations impact the overall information security management program. It is inadequate and needs to change based on newer intrusions, vulnerabilities and threats. The company cannot afford to wait until one of these threats occurs. The company needs to be proactive and plan ahead. JMZ must adopt a plan and take appropriate preparedness measures to mitigate such threats and risks. Furthermore, JMZ must set up procedures to continually review the implementation of adopted measures and further introduce security measures to continually reduce the likelihood of a threat occurring. JMZ needs to improve the overall security of the company. I have included a list of items that senior management may want to look at first to have the greatest blow on the nine threats listed above. I also recommend that we follow up this memo with a meeting to discuss the decisions made by the senior management team. 1. Business Continuity Plan 2. Disaster Recovery Plan 3. Information Security policy 4. Risk Management Plan 5. Employee Training Program 6. Full Disk Encryption 7. Data Encryption 8. Backup and Recovery Program 9. Resource Usage Policy