TËCHNOLÔG¥ FÖR ALL

Now, more than ever, IT security is a critical element in the system and business life cycles. Recent advances in information technology and the proliferation of computing systems and networks worldwide have raised the level of concern about security. However, before costly security bets are place your company needs to have cleared what is the risk level the company wants to accept. Security must be incorporated and addressed from the initial planning and design phases. With this in mind, the objective of this paper is to provide a solid security plan for your company.

For example, XYZ Company has its headquarters in Kansas City, and three other remote sites in New Orleans, Denver, and San Francisco. All mainframe and open systems computer equipment is in Kansas City. The Mainframe contains all business related financial and Payroll systems. The open systems maintain all data warehouse information. There are two local area networks. The primary network contains 3 Novell servers. One server contains the domain, and Group Wise suites. The second server contains a file server with databases for office entry information. The third server is a fax and print server that is used to send and receive orders from customers. This LAN contains additional 30 workstations. The second LAN contains two Oracle databases servers, one print server and 20 workstations that use Microsoft windows. All files are backed up nightly to the mainframe.

The wide area network (WAN) attaches to three remote servers by way of frame relay. In addition, each site contains a Cisco router, with a PIX firewall. Remote access to each Cisco router is available with dial VPNs. Each site also has a remote printer, fax, and file server.

It has been three years since an audit has been done. The organization is looking for a robust security plan, a training plan, and procedures to get the organization secured. They would also like to add a web server and outside Internet access.

Initially, we would cover important business aspects to implement the security plan, like mission, org. charts, divisional accountability, and the guidelines for the security policy. Second, we will discuss training and procedures policies. Third, we will address contingency plans, backups, security operation, physical security, and audits. Fourth, we will cover Risk assessment, cost-benefit considerations, and management control. Finally, it will be a recollection of conclusions and recommendations about XYZ Company's security plan.. Once completed, the security plan will contain technical information about the system, its security requirements, and the controls implemented to provide protection against its risks and vulnerabilities. In order to have some basic foundation to start our analysis we make the following assumptions:

• XYZ Company is mainly focus in Midwest markets.
• Their product range is well positioned in a stable market.
• It has a traditional functional structure.
• One group has the overall corporate responsibility for security plan.
• The company has a reciprocal agreement with another company in St. Louis MO as a HOT site.
• The company has another office building in KC.

• No security policy existing
• No IPX for Novell to mainframe connection
• No dial-up modem. It is expected the company has in place VPN
• All LAN are located in one site (one building)
• Firewall on VPN
• 3745 Communications network between Novell and LAN
• One LAN Administrator, and One Security Administrator in KC location.
• One security tech in each remote site
• Each workstation has updated anti-virus application installed on it.
• All workstation are windows environment with exchange e-mail server
• Files are backed up to mainframe and to tape drive
• Oracle is backed up to a tape and stored at a different location
• All Cisco routers are backed up.

• Mainframe - Contains all business related financial and payroll systems.
• Primary LAN (1) with three Novell servers and 30 workstations

• Novell (1) - Domain and Group Wise suites.

• Novell (2) - File server with Databases for office entry information.

• Novell (3) - Fax & Print server used to send & received orders from customers.

• LAN (2) with two Oracle Database servers, one print server and 20 windows workstations.

1. New Orleans, Denver & San Francisco systems (on each site):

• Cisco routers with PIX firewall.
• VPN access to each Cisco router.
• Remote printers, faxes and file server.

1. A plan for KC.
2. A plan for each of the remote location.

Since the development of this topic in academic texts is behind the current situation, we concentrate the research in material that was mainly published in the World Wide Web (Security Associations) and technical magazines. A power point presentation was developed, and presented to the class in March 7, 2001. This presentation is attached as a supplement to this paper, which contains pieces of information of different articles and sources that are indicated in the reference section.

Security concerns are motivated by an increasing use of information technology (IT) products and systems throughout XYZ Company. Now, employees, suppliers, and even customers have access to a growing number of network and telecommunications elements with different capabilities and limitations. XYZ Company should take important decisions about which systems provide an appropriate degree of protection considering risk-cost analysis. For instance, the unique beverages formulas used in production are fundamental to survive in the marketplace, and then should be protected at "any" cost.

The purposes of MID-system security plan are:

• Provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements
• Delineate responsibilities and expected behavior of all individuals who access the system.

XYZ Company strategic vision is base on the following mission statement.

ORGANIZATION MISSION

This mission statement was developed as part of the strategic planning process. Ensuring consistency and congruence between the company's ongoing mission, and its annual goals and strategies, the company developed a mission statement for the computer security division (Management Information Systems).

MISSION FOR THE COMPUTER SECURITY DIVISION GROUP

Management in XYZ Company has to come to realize that the organizations must be dynamic in nature; that is being capable of rapid restructuring according to changing environmental conditions. However, XYZ Company believes its traditional approach is still able to face challenges in this mature industry. It has a traditional functional structure. In a functional structure, the company groups employees according to major categories of work activity. This kind of organization works pretty well since XYZ Company has a well-developed range of products in a stable market. Figure 1, illustrates the functional structure groups (see reference). The Management Information System Group (leaded by the MIS Director) is part of the controller group, and has overall corporate responsibilities through the whole organization. See figures 2 and 3 (see references).

ACCOUNTABILITY

The Computer Security group has accountability over:

-Raising awareness of information technological risks, vulnerabilities and protection requirements, particularly for new and emerging technologies

-Advise other business units (e.g. production) of information technological vulnerabilities and devising techniques for the cost-effective security of company's systems.

-Developing standards, metrics, tests and validation programs trough the organization's systems.

-Provide a computer security awareness, training, and education policy. Making computer system users of their security responsibilities and teaching them correct practices, to ensure proper accountability.

-Comply with minimum-security government requirements and those establish by Federal systems (e.g. U.S. Army)

-Developing guidance to increase security in information technological planning, implementation, management and operation.

In addition the MIS group has the duty to keep and update the following documentation.

• Authorize processing documents and statements
• Backup procedures
• Risk assessment
• User Manuals
• User rules of behavior
• Disaster recovery and Contingency plans
• Emergency procedures
• Standard operating procedures
• Testing procedures and results
• General support system security plan
• Vendors-supplied documentation

TRAINING

As security awareness becomes a way of life within an organization, people at all levels, and roles in XYZ Company, should have access to easily understood guidance. The MIS should promote that users to system administrators and program managers have a basic understanding of the security principles governing the system they are using, maintaining, or designing and developing. It should provide a plan for mandatory periodic training in computer security awareness and accepted computer security practices for all employees at least once a year. In addition, it should coordinate the distribution and publication of posters, manuals, booklets, and trinkets through the organization. For employees or contractors, who are involved with the management, use, or operation of computer systems it should have an educational program in place. Therefore these employees should be versed in acceptable rules of behavior before being allowed access to the systems. The training should be provided by vendors, or coordinated with certificate institution in the different systems (Windows NT, Novell, Oracle, etc.)

PHYSICAL AND ENVIRONMENTAL SECURITY

The purpose of this policy is to delineates physical and environmental security requirements to be implemented to protect the facilities housing information assets, the information assets themselves, and the facilities used to support the operation of automated information systems.

All information assets, computers, peripherals, terminals, controllers, other related equipment, and sensitive information (whether in electronic or non-electronic form) must have appropriate physical access controls in place to protect them from unauthorized physical access and to safeguard against reasonable environmental hazards.

Security responsibilities are divided between several management groups. The following will list out the responsibility of each management groups.

• To ensure that subordinate personnel adhere to physical and environmental security requirements, government regulations and Mid-continent Beverage regulations and that they report significant violations affecting sensitive information to Security Department;

• To develop physical and environmental security procedures for the protection of computing components under their control;

• To continually assess the level of physical and environmental protection afforded information assets under their control;

• To investigate violations of Mid-continent Beverage Protection of Proprietary Information Policies and Standards affecting non-sensitive information.

• To develop and maintain Mid-continent Beverage Information Physical and Environmental Security Policy and Standards;

• To provide assistance to facility owners and managers in the development of physical and environmental security procedures;

• To coordinate with the Mid-continent Beverage Physical Security Manager on policies related to physical access controls;

• To perform random audits to ensure that physical security controls are being implemented and configured properly and, thus, to minimize risks to sensitive information;

• To provide information to external user organizations and contractors on corporate physical security expectations for systems connected to Mid-continent Beverage systems or for information assets used to process Mid-continent Beverage data, but which are not under the direct operational control of Mid-continent Beverage.

• To ensure that subordinate personnel adhere to Mid-continent Beverage Information Physical and Environmental Security Policy and Standards; report significant Policy and Standards violations to Security Department;
• To develop physical and environmental security procedures for the protection of computing facilities under their control;
• To continually assess the level of physical and environmental protection afforded information assets under their control;
• coordinate with the facility’s physical security manager on issues related to physical access controls; coordinate with the facility manager on issues related to environmental controls.

• To provide and maintain physical access controls and environmental protection controls;
• To provide and maintain environmental protection controls in coordination with the facility owner.

Mid-continent Beverage Physical Security Manager’s responsibility is to address, in coordination with Security Department, those issues relating to physical access controls, policies, and standards.

CONTINGENCY PLAN

• Primary LAN (1).
• Novell (3) - Fax & Print server used to send & received orders from customers.
• Mainframe - Contains all business related financial and payroll systems.
• Novell (2) - File server with Databases for office entry information.
• 5 Workstations connected to Primary LAN (1).
• Alternate fax line for customers to send orders.

1. Human Resources - The following personnel are needed to support the critical system in case of contingency:

• A Contingency Plan manager - Will coordinate and implement this plan when a contingency is declared.
• A team of five data entry clerks - 3 clerks are enough to handle customers’ orders and key them into the system. The other 2 on the team are for backup.
• A LAN administrator - To handle any network issues.
• A System operator - To handle system issues including restore from Backups.
• Telecommunication technician - Will handle the alternate fax line and fax machines on he network.
• An application programmer - To handle issues regarding the customers orders application. This programmer must up to date with the current version of the software.
• A human resource (HR) representative - There might be work related issues that the employees will raise to the fact that they are working in "irregular" terms. In addition, it can be very beneficial to have someone bring coffee, cookies and other to ease the pressure that may be put on the employees.

1. Automated Applications and Data - The following software versions must be available during the contingency. All versions must be the current Production Version.

• Data Entry software.
• Data Entry Database.
• Network software.
• Operating System.
• Fax & Printer software.

1. Physical Infrastructure – The alternative site at St Louis, MO should include:

• Office space to accommodate at least 10 employees with minimal required working environment such as: Desks, Chairs, File cabinets and Workstation terminals.
• Utilities such as: Electricity, Air conditioning, Heat, Water, and Bathrooms.
• Mainframe machine.
• Novell server.
• 5 Workstations connected to a LAN.
• A fax machine for the alternate fax line.
• In addition to the alternate Fax line, other communication means such as alternate phone lines or cell phones should be available. Each group in section 2.2 should be given a mean to call to the outside world.

NOTE: Currently the number of communication means that are needed based on section 2.2 is 7 (seven).

1. Documentation and Papers - The following documents should be available at the alternate site in St Louis, MO:

• LAN software manual for troubleshooting.
• Operating System manual(s).
• C++ Programming manual for supporting the DataEntry application.
• User manual for the DataEntry software for the data entry clerks to use.
• Blank customer order forms.
• Official Business/Office memo pads.

VERY IMPORTANT - A copy of the most updated Contingency Plan must be kept at the St Louis, MO alternate site.

 

1. Implementation
1. Backups – All critical systems and Critical Data must be backed up to tapes.. The following data should be backed up:

1. Financial business related data on the Mainframe.
2. DataEntry Database on Novell server (2).
3. DataEntry software.
4. LAN software version.
5. Operating System version.
6. Fax & Printer software.

All backup tapes should be kept in a fireproof safe at the other office location in KC. The backup tapes should be taken to this location the morning after the backup by 10:00 AM of that morning.

The method for backing up (a) and (b) should be a daily incremental backup and a monthly full backup. There should be 32 backup tapes.

31 tapes marked from "1" to "31" and a tape marked as "Monthly".

7. The daily backups should be done every day at 6:00 PM using the tape

marked with the current date. This is to ensure that the backup is part of a daily routine activity.

8. The monthly backup should be done at the last business day of every month

using the tape marked as "Monthly"

1. Must review the contingency plan at least once every three month. This is very

important since the plan may have changed.

2. Must be familiar and up to date with the operation and documentation of his

or her tasks needed during a contingency.

3. Must participate in a Contingency Plan drill (as specified by the Plan manager)

at least once every six-month.

4. When a new member joins the team, the Contingency plan manager must

personally review this plan with the new member.

1. Testing – It is the responsibility of the Plan manager to make sure that the contingency plan is applicable and up to date using the following methods:
1. Review – Every three month the plan has to be reviewed by the plan manager to

verify that:

1. The team members are still working with the company.
2. The personal details on the roster list are up to date.
3. Each team member can still fulfill the requirements on the roster. An emphasis

should be put on the System operator to check if he or she is familiar with restoring from Backup tapes.

4. Each team member has complied with section 3.3 (Training).
5. Contact the alternate Site in St Louis, MO to for any known concerns that may

prevent this site from being operational during a contingency.

1. Analysis – Every six month the plan must be analyzed by the Security

Administrator and the CFO to ensure accuracy and compatibility of the plan.

2. Simulation Drills – The drills must be performed based on the following;

1. Every three-month the plan manager should contact the team members and make sure that they are all aware with section 3.4of this plan (Steps in case of a contingency – A plan member).
2. Every three month the current system operator on the roster should perform a restore from backup.
3. Every six month the plan manager should visit the St Louis, MO alternate site and make sure that section 2.4 (Physical Infrastructure) is compliant.

their tasks.

 

SECURITY AUDIT

The security audit is needed in order to check the Mid-Continent’s System security. An audit helps in identifying security problems and vulnerabilities.

We recommended two basic methods:

• A one-time audit event to evaluate your security which we have basically performed once we were hired.
• An ongoing audit activity to check your system, its users and your environment. This is applicable to all sites.

Each site should keep a logbook with the checks that have been performed and the date. For the system audits that use automatic logging, such logbook is not needed.

1. Physical security audit
1. Once a day check that the Mainframe computer room is always closed and only authorized personal can enter the room.
2. Every morning make sure that the security guard at the building gate has arrived.
3. The security guard should make sure that at the end of the day the computer rooms are locked including all windows. Therefore, we suggest that at least once every 3-month, just before the guard makes his or her round, leave the door and/or window open. Make sure that the guards DO perform their duty and that they close the door and/or window.
4. Test your security alarm systems as suggested by the manufacturer.
2. Environmental security audit

Check and maintain your environmental systems at each computer room according to the manufacturers’ recommendation. This includes:

1. Air Conditioning.
2. Heating system.
3. UPS.
4. Fire sprinklers.
5. Humidifiers.
3. System Audits

The following audits should include ALL systems that have ANY user account.

1. Accounts without passwords – such accounts should not be valid and should be traced to their individual.
2. Accounts with easily guessed passwords – We suggest that every password should include:

• At least 8 characters.
• At least two digits.
• Have the users change their passwords at least every 3 month.

1. Dormant Accounts – Make sure that ALL employees that have left the company have no longer an account in any system. If such accounts exist, delete them immediately.
2. Suspicious user activity – Check the system login logs for any unusual activity.

For example:

• The data entry clerks’ regular hours are 8-4 local time. If you see a login at midnight, contact the clerk for his or her needs from the system at that time.
• Make sure that employees that are on vacation have no login logged during that time. If a login entry is logged, try to contact that employee immediately to verify this login.

1. Monitoring Backups
1. Make sure that the daily backups are performed on schedule.
2. Once a week check that the backup tapes are stored in the fireproof safe at the other location in KC.
3. In coordination with the Contingency plan manager, make sure that the system operator is familiar with the restore function of the backup tapes.
2. Employee Awareness Audit
1. Once a week, take a few minutes with a different employee to go over the security measures in your site. Make sure that the employee is familiar with the password safety measures and other security related issues.
2. Perform some tricky test such as:

• Call one of your employees and ask him or her to give you their password over the phone. If that employee does give it over the phone that’s trouble.
• Send an anonymous email to an employee asking for his or her user information.

1. Make a weekly round at lunchtime and at the end of the day to see that all users have either logged out or have their screen saver up.

RISK ASSESSMENT/COST BENIFIT

Risk is the likelihood or probability that a loss of information resources or breach of security will occur. Risk assessment is the process for identifying and ranking risks to information assets that includes: asset; threat analysis; vulnerability assessment; and safeguard selection and cost/benefit analysis.

Risk assessment and disaster planning are vital security activities and they should be included in all good security plan. When you are considering building, buying or even using a security product, you will have to balance the cost of the product against the risk of doing without it. Risk analysis is a procedure used to estimate potential losses that may result from system vulnerabilities and to quantify the damage that may result if certain threat occur. The main goal of risk analysis is to help select cost-effective safeguards that will reduce risks to an acceptable level.

Standard risk analysis involves looking at your tangible assets – such as the building, computers which include hardware and software and all communication media and all other equipment and figure how to protect them.

Information asset owners will assess risks to information assets to determine needs for protecting their confidentiality, integrity, and availability. Security Department will develop and communicate procedures to be used in the assessment of risks to information assets. This process will be completed as part of new system development as well as for operational information assets under the following conditions:

• when there is a major change to the information asset or its environment;
• when threats or vulnerabilities increase significantly;- when a major security violation has occurred.

Whenever possible, the assessment of risks to information assets will be automated to facilitate standardization of risk identification and tracking of risk mitigation.

Information asset owners will take action to mitigate or reduce to an acceptable level risks to information assets under their control. Security Department will establish a process for mitigating risks to information assets that include identification of roles, responsibilities, and procedures for developing implementation plans. Processes will also be established for prioritizing corrective action, identifying funding requirements, and integrating across platform solutions, waivers, and exceptions, and for tracking implementation status.

A formal risk analysis will be performed for each system (i.e., determining the sensitivity of its confidentiality, integrity, and availability components) as part of the project planning phase. This analysis will help identify the protection requirements for the system and help determine the feasibility of the project.

Identification of security requirements will be included as part of application planning and analysis. Security requirements are easier and much less costly to implement if they are included in the initial design of an application rather than retrofitted into an existing application. Security requirements will be defined based on:

-- who will use the system;

-- what data must be secured;

-- what parts of the system execute outside of the network;

-- what information is required for user authentication and auditing.

A security requirement statement will be part of the required documents for use of sensitive information systems software. This statement will be based on a preliminary risk assessment and must describe security software requirements needed to adequately protect the system and the information it processes.

CHANGE MANAGEMENT/CHANGE CONTROL

All computer and data communications systems used for production processing at XYZ Company must employ a formal change control procedure, which is used to ensure that only authorized changes are made and moved into production.

All program modifications will be reviewed, tested and approved by the Information Asset Owner prior to moving them into the production environment. Controls will include not only procedural requirements, such as a process flow for change implementation, but also file system security to restrict the ability to modify programs (both source code and executables) to authorized personnel. In addition, commercial program change control software will be considered to assist with the security and control of program changes.

Software Change

Except in extreme emergencies, changes to system software will not be made without the approval of the System Owner. System Owners will develop procedures to ensure that changes to the system are reviewed, tested, documented, and approved prior to their implementation.

Administrators should maintain a baseline of important system software. Baseline information should include creation dates, modification dates, file size and/or other characteristics. Important system software includes relatively static files used for operating system functions or utility-type programs and configuration files. Identification of unauthorized changes to system software facilitates the identification of Trojan horse attacks and the investigation of security incidents.

System testing should be a joint effort of users and information processing organizations and should include both the manual and automated phases of the system. Test functions will be kept either physically or logically separate from production functions.

Documentation of all changes

All changes to operating system modules, tables, libraries, application software, etc., will be documented and will become a permanent part of the system or application documentation. All change record documentation will reflect the date of change, the reason for change, the name of the person making the change, and the person who authorized the change.

The security plan needs to be adjusted to the strategy plan and today's fast changing environment. In this environment, information technology security acquires extraordinary importance. Employees, Consumers, Suppliers are only a click apart to company's backbones, systems and data. Without proper attention to security, one of an organization most valuable asset, its information, it's subject to loss. With careful planning from the earliest stages, as we did in this study, security becomes an enabler, and supports the organization in achieving its mission.

Finally, XYZ Company needs to remember that "Technology time" accelerates the pace of change, making yesterday’s strategic masterstroke today’s bumbling miscalculation. In other words, XYZ Company should audit its systems continuously, and be prepared to adapt quickly, or fall way behind competitors.

Figure 1

Figure 2

CONTROLLER’S ORGANIZATIONAL CHART

MIS ORGANIZATIONAL CHART

NETWORK CHART

REFERENCES