Draft of the Enterprise Security Plan and Presentation

Enterprise Security Plan: Acme Consulting

Team Names

CMGT/430

January 2017

Teacher

Enterprise Security Plan: Acme Consulting

Introduction/Overview

With the company’s continued growth, there is a need to identify the organization’s risk, vulnerabilities, and threats to their enterprise. To maintain a competitive advantage with the competition, it is essential for the organization to model and build a secure environment in which business processes and procedures can operate efficiently. Furthermore, it is imperative to maintain security at all levels to ensure that essential data is not compromised. This security plan will cover some of the many vulnerabilities, which include physical, system, and data security, which we have found to be an issue within the current infrastructure. Mitigation strategies for these vulnerabilities were created in order to provide Acme Consulting with a comprehensive security plan.

Risk Management and Control Strategy

The first issue discovered was in regards to user awareness. Training doctrine is not updated to reflect the current infrastructure. Logs for who was trained, what training or when the training was completed is lacking or missing. We have witnessed users opening unknown emails, visiting potentially dangerous websites, downloading attachments and using personal thumb drives on company hardware.

The second issue is the weak access controls that we discovered, both physical and logical. Network and server rooms are easily accessible and have no access rosters or individual identity requirements. Old and unused user roles are still active and many roles overlap responsibilities. Finally, anyone that has logon credentials can access any part of the file storage partitions.

The third discovered issue is in reference to the network’s poorly-written applications. The in-house software solution does not verify data entry or block scripts from being entered to the data entry form fields.

The final issue that we are addressing is in reference to the unpatched software that we discovered. The server/workstation OS’s and hardware IOS’s have not had all of the up-to-date security patches installed. Also, a piece of legacy software is currently installed but no longer needed for day-to-day operations.

Mitigation Strategy

Mitigation is the management method that attempts to lessen, whereby planning and preparation for the loss triggered by the manipulation of vulnerabilities. This method consists of incident response, disaster recovery, and business continuity.

Identifying organizational risks is only the first part of implementing a proper risk mitigation plan; once the risk is identified, a mitigation plan must be prepared and supported by the organization. Risks can be transferred, avoided or mitigated to address and lessen the impact with the probability of it occurring

Vulnerabilities and Threats

Vulnerabilities are any flaw that makes it infeasible to prevent an attacker from escalating privileges, regulating internal operations, compromising data, or assuming trust that was not explicitly granted. A wide range of things can be classified as vulnerabilities. Vulnerabilities include everything from Buffer Overflows to character flaws that allow social engineering. This makes sense as vulnerabilities have been around since the beginning of time and have existed in every device or idea that was created to restrict or moderate access (What is a vulnerability, 2017).

Threats are anything that can cause harm to computing systems. A threat is something that may or may not happen, but has the potential to cause serious damage. Threats can lead to attacks on computer systems, networks and more. These attacks may result in system breaches, stolen data, modified data, and loss of the publics/customers trust.

The team looked at all the possible logical vulnerabilities that the business could face. The logical vulnerabilities are issues they could face with software or logistical elements of the network. These range from back door access to software to protocol errors. It is important for the business to know any logical vulnerabilities that they could face. This will allow for the business to be proactive when faced with these situations. Also, the team has mapped out the probability and outlined the impact of the logical vulnerabilities as well. This will give the business an idea of how serious the issues are if they were to occur. Image 1.1 shows the discovered logical vulnerabilities and the threats that these vulnerabilities creates.

Image 1.1

The team also looked at all the possible physical vulnerabilities that the business could face. The physical vulnerabilities are issues they could face with the physical elements of the business. These range from hardware failure to contingency plans. It is important for the business to know any physical vulnerabilities that they could face. This will allow for the business to be proactive when faced with these situations. Also, the team has mapped out the probability and outlined the impact of the physical vulnerabilities as well. This will give the business an idea how serious the issues if it were to occur. Image 1.2 shows the discovered physical vulnerabilities and the threats that these vulnerabilities creates.

Image 1.2

Top 20 Vulnerabilities

The team took a systematic approach to identify over 20 risks that impacted our potential organization. The result of our approach yielded the findings indicated above. The team ranked the pairs based by applying risk management principles as well as taking a common sense approach based on personal and professional experiences when dealing with vulnerabilities that introduce risks within the operating environment. The following is a list of the top 20 vulnerabilities:

Biometrics

Video Monitoring

Group Policies and Permissions

User Errors

Packet Collisions

Unsecure Wireless Networks

Hardware Failures

Missed Security Patches

Updates

Unauthorized Access

Unauthorized Downloads

Theft

VPN

Destruction of Assets

Equipment Disposal

Denial of Service (DoS)

Modification of Data

Antivirus

Firewall Security

Controlling Risk Over Time

Our team will determine risks and security threats to Acme Consulting, including which strategy to use and a description of the risks that may happen from the discovered vulnerabilities. We will also implement security controls that eliminate or decreases uncontrollable risks.

The responsibility of Acme’s IT department will be to ensure all system changes to the security system are added to the security manual, train all Acme Consulting employees on security processes and procedures at least annually, and perform security standards review and analysis on an annual basis.

Conclusion

As a team, we all listed what we thought were the most important vulnerabilities that could hurt your organization the most. Then we matched up the ones that we all agreed upon were legitimate potential vulnerabilities and then discussed which ones we did not agree upon. After the vulnerability list was finalized, we talked about what steps we could take in order to mitigate each vulnerability. There wasn’t really too much to disagree upon regarding the mitigation of vulnerabilities, because there is only so much you can do to protect each vulnerability. The other vulnerabilities that did not make the top 20 were omitted because as a team, we did not think that they were that high of a Probability or Impact. Not to say we would not have to address them later down the road, but for now, they can be taken care of later.

References

MITRE (2016), Risk Mitigation Planning, Implementation, and Progress Monitoring Retrieved From: https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-mitigation-planning-implementation-and-progress-monitoring

NIST Pub. 800-30 (2002). Risk Management Guide for IT Systems Retrieved from: http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/nist800-30.pdf

What is a vulnerability?. (2017). Retrieved from https://www.snort.org/faq/what-is-a-vulnerability