ACME Inc. Security Assessment ✓ Solved
ACME Inc. Security Assessment
ACME Inc. is a mid-size privately held Biotechnology firm that performs research and development for medical and pharmaceutical companies. The firm routinely shares information and data with its customers and partners, which often contains trade secrets, HIPAA protected patient information, and privacy data. ACME Inc. has noticed recent trends in the penetration, hacking, and compromising of various companies, which resulted in the hiring of more Information Security personnel to assess the company security posture and implement corrective measures as needed.
The following analysis is a result of the evaluation and assessment of the company’s various controls including management, operational, technical, and logical controls.
Management Controls
The assessment first addressed the management controls for ACME Inc. The analysis found that the risk management assessment was not performed at regular intervals but rather when news of a large security breach occurred in another company or government entity. The review of the risks is limited in scope and did not evaluate the company as a whole, including personnel and physical issues. The current information system documentation is out of date and incomplete.
For example, the Microsoft Domain controller, Exchange mail and web servers are displayed and listed, but the specific system hostname, IP address, and operating systems are not broken down. The risk assessment identified threats from nature such as tornadoes, earthquakes, and fires, along with some man-made threats like administrator and user errors, but does not mention malicious intent or sabotage. Senior management has been briefed on these threats and risks from nature, insider, and outsider threats and understands the various risks from each.
The assessment does not address the cost associated with each threat source nor the impact for each threat; therefore, specific controls to mitigate the threats have not been identified for each scenario. The review of company security controls discovered both positives and negatives during the assessment.
The security controls address the local systems but do not include controls for interconnected systems to customers and partners. Management has recently taken strides to implement corrective measures to improve security control deficiencies, including the hiring of experienced information security personnel. A System Security Plan (SSP) “provides an overview of the security requirements of the system and describes the controls in place or planned, responsibilities, and expected behavior of all individuals who access the system.” The ACME Inc. SSP does not meet this definition because the plan lacks the inclusion of interconnected systems.
Operational Controls
The analysis of the Personnel Security controls found that information security, information technology, and general users have permissions assigned only to perform their duties. ACME Inc. uses background checks for personnel in positions that have access to privacy and HIPAA data; however, the checks are limited to National Agency Checks (NAC), which focus on criminal and law enforcement data. The review of such background checks is often overlooked, with some personnel not reviewed since the company's inception.
Procedures exist to hold employees accountable for illegal actions that violate company core values and acceptable computer use policies. Analysis of physical security measures revealed positives and negatives practices. The company uses badges and biometric fingerprint scanners for access to secure areas that contain trade secrets and confidential information, and areas use badge readers with user PIN. Security guards monitor these systems, performing random checks for employees entering and leaving the building.
Technical Controls
The identification and authentication controls used by ACME Inc. are characteristic of a Biotechnology company. All users authenticate using smart cards and a pin linked to their active directory account. Although smart cards are used, users are still required to change passwords every 60 days and meet complexity requirements.
Logical access control evaluation resulted in findings that while users' access to systems and information is limited to their job requirements and responsibilities, no controls are in place to track access and enforce limitations. Security and certain systems administrators are the only employees that can manage security software. Other logical access control measures include encryption for web servers that utilize Secure Socket Layer with a certificate by VeriSign.
Recommendations
Based on the evaluation of ACME Inc., recommendations for management controls include implementing scheduled risk assessments on a quarterly basis to provide better understanding and mitigation of risks. Periodic reviews should include all aspects of security, including physical and personnel security. Documentation must include detailed drawings of overall logical system design, each server displayed with IP address, hostname, and operating system.
For operational controls, the recommendation suggests scheduling a review of background checks, collaborating with human resources to ensure accounts are deleted upon an employee’s departure, and conducting Disaster Recovery exercises regularly. Establishing regular Security Education and Training (SETA) classes that include annual information security refreshers for users is essential.
References
- NIST 800-26 Security Self-Assessment Guide for Information Technology Systems
- SANS. Org (1 APR 2003) System Security Plan
- Whitman, M. E., & Mattord, H. J. (2010). Management of Information Systems (3rd ed.). Boston, MA: CENGAGE Learning.
- ISO/IEC 27001:2013 - Information Security Management Systems
- National Cyber Security Centre (NCSC). Cyber Assessment Framework.
- Internal Revenue Service (IRS) Publication 4557: Safeguarding Taxpayer Data.
- Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
- Center for Internet Security (CIS) Controls.
- Federal Information Security Modernization Act (FISMA).
- Cybersecurity & Infrastructure Security Agency (CISA) Publications.