Saturday, February 23, 2019
Information Systems Security Essay
In todays IT terra firma every organization has a responsibility to protect the breeding and reasonable selective tuition they be learn. Protecting selective information is not solo responsibility of hostage and IT module but every individual is involved in defend the information. The lay on the lines to information security system atomic number 18 not digital solitary(prenominal), but it involves technology, state and process that an organization may have. These flagellums may represent the problems that atomic number 18 associated to conf use upd and expensive solution, but doing nothing ab place these risks is not the solution.The case we have been assigned today deals with forcible and perspicuous vulnerabilities and protection against the risks and threats by implying the scoop controls to either mitigate, avoid and transfer the risks. Being an Information Security officeholder at a newly opened location in a busy mall, I have been asked to identify physic al and arranged risks to the chemists operations and alike to suggest remedies to avoid all huge pass to the business. The chemists operations involve the unique transactions which involves the critical patients data, worthful medication and apostrophizeing to cash.The regulation set by the government obligates a pharmacy to meet certain standards to secure logical and physical get at to information systems. The pharmacy is comprised of 4 work station, there is a do drugs storage argon and an office in the premises which has a file away server, domain controller and a firewall. The three of the four work stations are placed at the counter to immortalise and retrieve information of customers order. The entry of the store if from the mall and there the drug storage reach is securely clasped location behind the confront counters. The store has a hazard adit entry which is used by the employees and for delivery of new drugs.As an IT officer I have to protect all aspect o f security including physical security of IT systems. Information Systems Security Physical security is an inherent part of information technology security. Physical security encompasses not only the area containing system hardware, but also locations of wiring used to pertain the systems, supporting services, backup provisions and both another(prenominal) part of the systems. Laptops and other types of mobile computing devices must also be protected from thievery. The data on the mobile devices sometimes more than the value of the device. Such devices bed also be an entry point on entanglement.First opine at the physical vulnerable area to IT systems within the pharmacy. After identifying the IT pluss of club we rat surly identify the physical risks. * Server Room * cross-file server * Domain controller * Front Counter workstations * Switches/hubs The back doorstep as showed in the floor plan is used by the employees of the pharmacy and it is often used for delivery o f drugs. The bother through this door is a physical exposure. Only authorized ain should be allowed to use this door. every unidentify entry or occupation should be monitored carefully. Such allowant pot result in loss of physical devices.The server path is a highly secured area which should be allowed only to IT people, other personal should be granted adit by seeking special approval. The door should be locked all the time to protect IT assets. The workstations at the front counters should also be locked and placed securely to avoid either theft. The caged area assnot be locked all the time, it would result in low yieldivity as the staff move between the store, office and front counters. Securing the server room by locking it is the first step surveillance makes it more effective if someone breaks into the server room.In case of an incident, one nates easily bring out up the video and check it for a particular time or for a particular event. A logical breach affects the network, data and software package package without physically affecting the hardware. One of the problems with all logical breach of security is that the damage is invisible and its extent is un cognise. (Georgia Institute of Technology).As we depict in the book, vulnerabilities are implant in all seven domains of the network * wasting diseaser Domain * Lack of awareness of security policy * inadvertent acceptable use policy violation * Intentional cattish activity * Social engineering * Workstation Domain Unauthorized exploiter access * venomous software introduced * Weaknesses in puted software * LAN Domain * Unauthorized network access * Transmitting private data unencrypted * Spreading malicious software * LAN-to-WAN Domain * Exposure and wildcat access of internal resources to the public* foundation of malicious software * Loss of productivity ascribable to Internet access * WAN DomainTransmitting private data unencrypted * Malicious attacks from anonymous so urces * Denial of emolument attacks * Weaknesses in software * Remote Access Domain * Brute-force attacks on access and private data * Unauthorized remote access to resources information outpouring from remote access or lost storage devices * System/ employment Domain * Unauthorized physical or logical access to resources * Weaknesses in server operating system or act software * Data loss from errors, failures, or disasters (Kim, 2012) System and data could be vulnerable receivable a physical breach where an intruder affects any system or node by uploading some invisible malicious code on one of the computers. Usually the logical breach results due an unauthorized access to the system/network. The users on the front desk should be given access to the information they need to perform their job on need to know basis. both workstation is capable to breach into sensitive information. Access to any machine could bakshish to confidential information breach. All users are needed to use their authentication to access information on the network. A strong password is required by the policy outlined by the IT department. Logical vulnerability deals with anything which is to do with computer software/network other than the physical network. People are the weakest link in the consentaneous chain. They are the biggest threat to the IT network any user could compromise the system without even knowing the result of his/her actions.substance abusers using personal device on the deferprise network is the biggest threat ever. Use of personal media should be strictly prohibited because it could bring in the malicious code which gives access to hackers to break into network and steal confidential information. A weak password also helps intruders to disguise them as the legitimate user and access the information to compromise the network. Software and antivirus updates could also be of import if it is not done on time, it can plump into breach. The physical threat and vulnerability can result in huge loss in revenue and confidential information leakage.As mentioned above, any physical vulnerability can result in loss such as theft of the equipment, any device plug to attack remotely or record data. We often printers in the network security, most printers nowadays stores information on built in memory on the printers in the beginning printing. If somebody walks out with the printer, access to information in printers memory can be accessed easily. fingers breadth 1 Key Logger As showed in the picture, there is a small device which is a key logger. If any personal (internal or external) have access to the assets of the company can install such a device which will not be found with careful examination.Such devices can log the keys strokes which will open a door for attackers to get access to information all the time. Figure 2 Threats & Potential Impact The picture above is self-explanatory, is the network is physically or logically vulnerable any at tacker can break which can lead to the impact mentioned above. In case of pharmacy where it is required by the law to take very extra care of customers confidential information no risks can be taken. In-case the network is compromised due to physical and logical vulnerability, the attacker can disrupt the whole business.Some disgruntle employee can cause DOS which will bough down the network which will result in delay in orders, low productivity. Vulnerability can also cause loss of information, loss of privacy of customers, legal liability due to leakage of confidential information which is governed by the HIPAA. And above of all repute among customers, it is very difficult to gain customers confidence if it is lost just because of any event. To identity and deal with risks, we are discharge to take the same approach as defined in the book.After carefully examining the risks, we are going to analyze the impact and based on the impact we will gain a schema either to mitigate, tra nsfer, avoid or accept the risks. Figure 3 Risk Management Process To deal with the physical risks identified above, the take up strategy would be to mitigate or transfer it in-case of any event. Numbers of steps are suggested to mitigate the risk due to physical vulnerability. The back door is used by employees only. The server room is forever and a day locked and with prior permission no other than IT personal can enter in it. All IT assets have been locked securely to avoid any theft. charge is also part of our strategy to mitigate any risks. Risks transfer strategy comes into play if anything happened to IT assets. Based on the value of assets most of the assets are cover under insurance. But data is such a valuable asset of the company that no insurance can cover the loss of data theft. After evaluating the logical vulnerabilities, I am going to suggest risk mitigation and risk acceptance strategy. Malicious attacks increasingly complex variations are continuously being intro duced and can sometimes spread widely before protection software companies deliver the latest detection strings and solutions. well-worn for Technology in Aumotive Retail, 2012) . The first step would be to mitigate the risks at any cost) but since the people are weakest link in the whole IT security scenarios they tend to do things unintentionally which compromise the security. Based on these facts I have also suggested the risk acceptance strategy. This fact is cognise by most of the businesses but they still do it because they do not perform any operations without manpower. The staff working at front desks or any employee at the pharmacy could use personal media which could lead to any attack.The weak password can also help attackers to use logical bomb technique to guess the password. A strong administrative control is required to avoid such incidents. Some of the suggestions to mitigate the logical vulnerabilities Security Awareness- as mentioned above the people is the weake st link in the IT security. User awareness on virus control is the most effective instrumental piece to control it. In the awareness programs they should be reminded that data should be genuine from the trusted sources. Incase they receive files from untrusted source should not be open. fictional character media should be approved by IT department to use.Patch Management- latest tour protects the system against the latest viruses. It is a process that updates the vulnerable areas on the application level. Hackers usually use the flaws and weak points in the system and exploit them to get on the network. Software OEM issues a new update to fix the issue, windows and antivirus gondola update is common examples of such patch management. Most organization does not allow automatic updates due to interference in current operations. They usually test the patch on test environment before replicating it to action nodes.Anti-virus scanners these products scan files and netmail and i nstant messaging programs for signature patterns that match known malicious software. Since new viruses are continually emerging, these products can only be effective if they are invariablely updated with the latest virus signatures. See your product manual for instructions on how to activate this. Anti-virus scanners can be positioned on gateways to the network and/or on network hosts. Anti-virus scanners need to be a great deal updated to be effective. Therefore, regularity and method of update are criteria that need to be considered when selecting anti-virus products.The first line of defense is administrative controls against any physical and logical threats. These are the policies which is prepared and approved by the management to staff for compliance. In pharmacys case strict policies are suggested to comply with restrictive compliance (HIPAA). First of all physical access to premises curiously from the back door needs to be secure. The policy to enter in the building usi ng a cat card or ache token is mandatory which a control to prohibit any unauthorized access.The IT room is also protected by a digital lock which can only be accessed by ntering correct combination of the password. The IT devices cannot be move out without prior approval from management on a prescribed form. Another preventive control is to disable all dismissible media from the systems at the front desk. The USB/serial ports are disabled and it can only be granted on special approval. To control logical vulnerabilities I have suggested mix of administrative, detective, preventive, corrective controls. All users by policy are required to use strong passwords, the password must contain, one letter in caps, one symbol/numeric value.The total length should be between 8-20 characters. Users are required to change the password every 30 days and they cannot use passwords any 10 previously used passwords. Users are also cautioned about not to write passwords. Most of the employees have role based access to IT systems. All front desk employees go straight to the application required to book patients orders. They cannot open or use personal email on the systems. The access to internet is controlled by the web application fall into place which only allows users to check pre-approved sited required to manage operations.All systems have the latest updated antivirus software which does not allow any infected file to execute. The best strategy to deal it with is preventive. Similarly to prevent any intruder in the network, IDS are deployed to monitor any unusual activity. Backup of data with regular interval makes it possible to continue the business in case of any break down due to any malicious activity. The data is indorse up with only last changed items after every 4 hours. As mentioned earlier the patients data is highly confidential, any loop whole can result in legal liabilities.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment