Hypothetical Organization and Security Requirements, Essay Example

Despite the increase in network and data center security with the most up-to-date and technologically advanced security modules, there is still the potential for a security breach posing a threat to the network.  Criminals and other people with malicious cyber intent are currently exploring and creating new ways to bypassing or superseding security software in order to gain access to classified material such as banking information, personal data, competitor’s intellectual property or other information that may provide a potential advantage or gain to the criminal.  This information is gained by taking advantages of potential weaknesses in the security systems by physical or opportunistic methods.  These loses could result in the loss of business critical information or loss of a competitive advantage, both of which could negatively impact the company as a whole. Accordingly, information or data is vital for organizations. They need to protect their data from competitors, hackers, cyber criminals and many more. (Calder, 2008) This paper will highlight implementation of the proposal for an ISO 27001 compliant information security management system (ISMS) for a chain of EM’s bakeries, in order to implement a standard to ensure confidentiality, availability, and integrity of data.

The scope for ISMS defined in ISO 27001 as “An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks (Calder 2008). An ISMS is part of a larger management system and can be implemented on one or more than one department. There are identified issues, related to mismanagement of network, data, assets, and database security. The data is synchronized on a daily basis from each outlet of Em’s bakery to the file server. The Sales server is the most crucial as far as both clients and organization is concerned, as it contains all the financial data related to daily sales, products sold etc. The outlets are connected to the head office via virtual private network. Coordination of each employee, whether the internal staff or the sales outlet staff, is conducted by emails relayed from the email server located at the head office. (Calder, 2009)The ISMS is applicable in the head office servers for ensuring data security. The reason for implementing ISMS on the servers is that both the organization and clients are accessing information from these servers. If any threat or security breach is triggered on these servers, both clients and the customers will suffer. The current scope does not protect the overall network. Moreover, the servers are vulnerable due to no protection between the workstations and the wireless connectivity. In order to protect these servers from threats and vulnerabilities, deployment of firewall is required.

Business Requirements

• If the sales server stops responding or suffers from a hardware or software failure, the sales outlets of Em’s bakery will not be able to send sales data to the servers. The sales process will be halted, as the system will not process any data from these outlets. On the other hand, the customer connected to Wi-Fi will not be able to access services related to Em’s bakery sales. As there is no backup available for the sales server, it is very critical.
• It is possible for any employee to gain access of the sales server, for amending sales figures related to any particular sales outlets. This is possible because no firewall rules are defined and no access mechanisms are set for each employee. Furthermore, a hacker may intrude in the sales server and extract all the sales figures of Em’s bakery. The hacker can then sell this information to the competitors, as they will be delighted to know which product is on the top list. This is the most critical issue as data leakage is not acceptable at any level.
• An employee can amend sales figures before sending them to the sales server, resulting in a revenue loss for the bakery. A hacker may also disrupt the transmission of data, from the sales outlets to the ‘sales server’ located at the head office. This issue is under control, as the transmission between the sales outlets and the head office are encrypted due to VPN deployment.

The security policy would enable the Em’s Bakeries Ltd. to follow certain set of control policy, which will give a type of broad idea of how the organization should function on daily basis. Also after implementing of the rules, they need to be checked at a periodical basis in order to keep up with the latest threats and vulnerabilities. The following are the guidelines to control the security policy of the organization (Commerce, 2007):

1) All data must be identified as confidential and should be managed by using access rights.

2) Any unauthorized software found on the system would be deleted with due effect.

3) Internet access should only be granted, to selected authorized personnel only.

4) Access of certain ports and proxy must be granted to certain authorized people only, which would help in identifying the individual if any damage or illegal activity is monitored.

5) Passwords of profile of each employee must contain at least 8 to 15 characters with minimum of one capital character, one special character and one number.

6) Passwords will expire within duration of 3 months without repeating the previous password credentials.

7) Mandatory that all workstations have an anti-virus and firewall system installed and operational.

8) The workstation will have write protection enabled and would not allow any executable programs to run except for the required software.

9) There must be a black list created for any IP addresses from external source to be logged and blocked if found trying to scan, penetrate or exploit the network.

10) All the installation and maintenance of the workstation must be performed by system administrator only.

11) If any problem is faced in the network or workstation or servers, a note must be taken and the risk treatment plan appropriate for that problem must be started.

12) All kinds of removable media must be disabled to increase the security and to prevent any unwanted software (viruses, spyware) to be installed on the local system jeopardizing the entire network’s security.

13) The open wireless bridge must be closely monitored in order to stop any malicious activity and prevent any risk to the organization’s network security.

14) Each and every staff needs to be acquainted with the Security Policy and should keep in mind if any inappropriate activity is triggered, would lead to severe penalties.

Security Business Requirements

The basic requirements for the business’s security have been outlined in the previous section.  In order to achieve these objectives it must first be fully understood where the company’s current security levels are in regard to maturity level.  The Capability Maturity Model Integration or CMMI utilizes a process improvement method to iteratively increase the maturity of specific functions or systems within an organization.  The CMMI follows a stair step approach with five individual and distinct levels of maturity as they progress (CMUSEI 2011).  The levels are initial, managed, defined, quantitatively managed and optimized.  Each level has distinct goals and objectives to meet prior to reaching the next level ultimately pushing the system into the optimized position for future process improvement.  Each organization could be appraised to receive a level of CMMI and from that appraisal a maturity rating of 1-5 is awarded.  The lowest possible level is the initial phase.  In this phase the processes are unpredictable and each section has little if any control on the process.  Another key aspect of the initial phase lies in the fact that all of the precautions and solutions generated by the company are reactive and become “fire drills” to quickly mitigate the issue at hand.  While the CMMI appraisal does not guarantee solutions to the issues it does provide a framework for solutions to be created.  There are specific process areas that are associated with the type of CMMI that is being performed (Zimmie 2004).  The process areas are the areas that are covered within the organizations processes.

For Em’s Bakery to achieve the next level of CMMI it must possess a specific level of maturity in multiple process areas.  Within those specific process areas, the process most important to the security requirements falls within the purview of project monitoring and control (PMC).  Under the project monitoring and controlling process area, the business can establish the framework for project management methodology to implement the multiple projects that it will need to complete the outlined business requirements.  The project management methodology will help ensure the successful implementation of the security requirements while also pushing the business into a more rigorous and structured business model (PMI 2008).  The PMC area will ensure progress is monitored and schedules are adhered to throughout the project lifecycle.  Transforming a company from a CMMI level 1 to level 2 requires the structure and standard operating procedures of a best-practices framework (Chrissis, Konrad, and Shrum 2011).  There are specific and generic goals associated with PMC.  The generic goals include building the organization framework and business processes to promote and accept the process changes while also building an institutionalized vision of what the corporation will look like and behave after the implementation.  These actions include defining certain processes, identifying the stakeholders, assigning accountable and responsible parties and implementing evaluation techniques for the process.

The specific goals include monitoring the achieve actions versus the plan.  This boils down to project management including project risks, schedule, performance, stakeholder analysis, performance reviews and project status.  The specific goals for implementation include building the ability to take corrective action as well as manage the action to fruition.  In regard to the security requirements implementation, the PMC’s generic and specific goals allow for the project management controls to evaluate the projects process as well as take the necessary actions to correct the course and successfully implement the project.

References

Carnegie Mellon University Software Engineering Institute. 2011. CMMI for development, version 1.3. Retrieved from http://www.sei.cmu.edu/library/abstracts/reports/10tr033.cfm

Calder, A., 2009. Implementing information security based on ISO 27001/ISO 27002 (best practice) Van Haren Publishing.

Calder, A., 2008. ISO27001/ISO27002: A pocket guide IT Governance Publishing.

Chrissis, M, Konrad, M., and Shrum, S., 2011. CMMI: guidelines for process integration and product improvement. Addison-Wesley Professional.

Commerce, O. G. C. O. G. (2007). Service design Stationery Office. Start with security policies, n.d.  Retrieved 8/25/2012, 2012, from http://www.altiusit.com/files/blog/StartWithSecurityPolicies.htm

Project Management Institute, P. M. 2008. A guide to the project management body of knowledge. (4th ed.). Newtown Square: Project Management Inst.

Zimmie, K., 2004. Secure and mature: combining CMMI SCAMPI with an ISO/IEC 21827(SSE-CMM) appraisal. Retrieved from http://www.sei.cmu.edu/library/assets/zimmie-secure.pdf