Unit Outline Information Security Risk Assessment - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Unit Outline Information Security Risk Assessment

Description:

Unit Outline. Information Security Risk Assessment. Module 1: ... Technology and stored in the school vault or in the Directory of Technology's purse. ... – PowerPoint PPT presentation

Number of Views:83
Avg rating:3.0/5.0
Slides: 14
Provided by: Alb55
Learn more at: https://www.albany.edu
Category:

less

Transcript and Presenter's Notes

Title: Unit Outline Information Security Risk Assessment


1
Unit OutlineInformation Security Risk Assessment
  • Module 1 Introduction to Risk
  • Module 2 Definitions and Nomenclature
  • Module 3 Security Risk Assessment
  • Module 4-5 Methodology and Objectives
  • ? Module 6 Case Study
  • Module 7 Summary

2
Module 6Case Study
3
Case Study Introduction
  • The Arlington Community Schools of Hawk County
    (ACSHC) is planning to conduct a risk assessment.
    For this case study, you are to put yourself in
    the position of the team leader responsible for
    the risk assessment on the Student Management
    System (SMS) for this school corporation.
  •  
  • This school corporation includes an elementary
    school, a middle school, and a high school.
    There are 1028 students, 61 teachers, 9
    administrators, 2 full time technology staff, and
    IT consultants all of whom have regular access to
    the ACSHC information system including SMS.
    Also, the software developers for SMS Software
    have remote access to this system to perform
    software updates. All users have the ability to
    remotely access their home directory from any
    Internet connection. Access to the Information
    System varies depending upon a persons role at
    ACSHC.

4
Case Study List of Users/Admins with SMS
Information, Part I
  • IT Support Staff These users include two full
    time employees and two outside technology
    contractors. It is this groups role to maintain
    all workstations and servers and provide support
    and training to the end users. They are
    responsible for all areas of the Information
    System such as backups, updates, repair, and
    replacement.
  • Corporation and School Administrators These
    users are the leaders of ACSHC and the respective
    schools. They have access to student and teacher
    folders as well as their own on the network. In
    the SMS system they have access to discipline,
    contact information, schedules, attendance
    records, demographic information, grades and
    academic history.
  • Bookstore Secretary These two users run their
    schools bookstores. They also are responsible
    for their respective schools accounts. In the
    SMS system they have administrative access.
  • Support Staff These users include the main
    school secretaries. They have access to their
    own directories on the information system. In
    the SMS system they have access to almost all
    administrative aspects and components.

5
Case Study List of Users/Admins with SMS
Information, Part II
  • Guidance Staff These users make up the
    corporation guidance department. They have
    access to their own directories on the
    information system. In the SMS system they have
    access to discipline, contact information,
    schedules, attendance, demographics, grades,
    academic history, and schedules.
  • Teachers These users make up the second largest
    group of users. They have access to their own
    directories and that of their students. They
    have individual login names for network
    connectivity. In the SMS system they have access
    to attendance, grades, schedules and contact
    information.
  • Instructional Assistants These users provide
    education support for teachers and students.
    Like teachers, they have individual login names
    for network connectivity but do not have access
    to the SMS system.
  • Students These users make up the largest group
    of users. They have access to their individual
    user directory. In the SMS system they have
    access to their own schedules. All students
    logon to the workstations using the same user
    login name, student.

6
Case Study Management Controls
  • The ACSHC facility has two distinct buildings on
    one campus. One building houses an elementary, a
    middle school and a high school the other
    building houses the ACSHC corporation office.
    The ACSHC information systems main distribution
    frame (MDF) is connected to five intermediate
    distribution frames (IDF) via fiber optic cable.
    There are also multiple wireless access points
    that are secured via 128 bit encryption.
  • The current controls for ACSHC SMS Information
    system are categorized into the following three
    management controls, operational controls, and
    technical controls.
  • Management Controls
  • Management Controls of an IT system are concerned
    with identifying the personnel and human factors
    that are involved in managing an information
    system. This includes items such as separation
    of duties, security and technical training, and
    assignment of responsibilities.

7
Case Study Operational Controls
  • Operational Controls of an IT system are
    concerned with the physical controls in place to
    protect the system. This includes items such as
    main server room door, backup systems,
    temperature control systems, dust control
    systems, quality of electrical power, and
    physical security such as locked doors and access
    control.
  • The main server room is located directly behind
    the Director of Technologys office requiring
    passing in front of the Directors door to gain
    access to the room. The lock on the server room
    door requires an ACSHC master key and is kept
    locked except when the room is in use. The
    server room contains the router to the Internet,
    the main switch, and five servers. The SMS
    server sits on the floor with the email server
    sitting on top of it. Each server has its own
    uninterruptible power supply (UPS) which sits on
    the floor next to the servers. There are also
    two cabinets that contain the other three
    servers, two UPSes, patch panels, switches, fiber
    connectors, and the router to the Internet
    powered by two circuits. This room houses two
    other cabinets that contain the intercom system
    and surveillance equipment. High temperatures
    have been avoided in this room with the
    installation of its own air conditioning unit.
  • There is an internal backup drive in the SMS
    server which is used to perform a full server
    back-up on the SMS system every Wednesday night.
    The backup tapes are changed by the Director of
    Technology and stored in the school vault or in
    the Directory of Technologys purse. Other
    backups are performed on the system before
    updates are installed.

8
Case Study Operational Controls
  • Operational Controls of an IT system are
    concerned with the physical controls in place to
    protect the system. This includes items such as
    main server room door, backup systems,
    temperature control systems, dust control
    systems, quality of electrical power, and
    physical security such as locked doors and access
    control.
  • The main server room is located directly behind
    the Director of Technologys office requiring
    passing in front of the Directors door to gain
    access to the room. The lock on the server room
    door requires an ACSHC master key and is kept
    locked except when the room is in use. The
    server room contains the router to the Internet,
    the main switch, and five servers. The SMS
    server sits on the floor with the email server
    sitting on top of it. Each server has its own
    uninterruptible power supply (UPS) which sits on
    the floor next to the servers. There are also
    two cabinets that contain the other three
    servers, two UPSes, patch panels, switches, fiber
    connectors, and the router to the Internet
    powered by two circuits. This room houses two
    other cabinets that contain the intercom system
    and surveillance equipment. High temperatures
    have been avoided in this room with the
    installation of its own air conditioning unit.
  • There is an internal backup drive in the SMS
    server which is used to perform a full server
    back-up on the SMS system every Wednesday night.
    The backup tapes are changed by the Director of
    Technology and stored in the school vault or in
    the Directory of Technologys purse. Other
    backups are performed on the system before
    updates are installed.

9
Case Study Technical Controls
  • Technical controls of an IT system are concerned
    with digital security to protect an information
    system or allow the ability to trace an
    intrusion.
  • Examples of technical controls include
  • Communication
  • Firewall
  • Intrusion Detection System
  • Encryption
  • System Audits
  • Object reuse.
  • Examples of technical controls in the ACSHC
    system include
  • Vexira anti-virus software
  • Deep Freeze and Fool Proof workstation security
    software
  • Filters to prevent students from downloading
    files from the Internet

10
Case Study Questions
  1. According to the material of Module 4 of Course 1
    or standards in document 800-30 (NIST 800-30),
    please identify the main work plan steps of risk
    assessment in this case.
  2. If you conduct the threat assessment-one part of
    the risk assessment of the SMS information system
    for ACSHC, how many sub-categories will you think
    of dividing your investigation into? Please
    briefly explain how each plays a role in this
    specific case.

11
Case Study Question 1, Reference Solution A
  • According the course material, the main work plan
    steps are
  • Planning It includes risk assessment scope
    determination and security baseline in which we
    should identify the current system
    characteristics.
  • Preparation This is mainly to identify the
    assets related with the SMS information system at
    ACSHC. This can further break down to asset
    identification, asset classification and asset
    prioritization based on their weighted important
    to confidentiality, integrity and availability.
  • Threat assessment This is the study covering
    threats, threat sources, and threat impacts.
  • Risk assessment This includes evaluation of
    current risk controls, vulnerability
    identification, likelihood determination, and all
    the information generated so far will lead to the
    complete risk determination about the SMS
    information system for ACSHC.
  • Finally, we can obtain the complete control
    recommendations.

12
Case Study Question 1, Reference Solution B
  • If we follow the NIST 800-30, the main risk
    assessment work plan steps are
  • Step 1 System Characterization
  • Step 2 Threat Identification
  • Step 3 Vulnerability Identification
  • Step 4 Control Analysis
  • Step 5 Likelihood Determination
  • Step 6 Impact Analysis
  • Step 7 Risk Determination
  • Step 8 Control Recommendations
  • Step 9 Results and Documentation

13
Case Study Question 2, Reference Solution
  • 2. Mainly, the threats to the SMS information
    system of ACSHC can be categorized into three
    areas human threat (internal/external),
    natural/physical threats, and technical threats
    based on the threat sources.
Write a Comment
User Comments (0)
About PowerShow.com