Technology / Cobit Security Checklist

Cobit Security Checklist

This essay Cobit Security Checklist is available for you on! Search Term Papers, College Essay Examples and Free Essays on - full papers database.

Autor:  anton  18 November 2010
Tags:  Security,  Checklist
Words: 7574   |   Pages: 31
Views: 946

Security Checklist for the XYZ Company

1. PO1.3 Assessment of Current Capability and Performance

2. PO2.3 Data Classification Scheme

3. AI6.1 Change Standards and Procedures

4. DS4.1 IT Continuity Framework

5. DS5.2 IT Security Plan

6. DS5.3 Identity Management

7. DS5.5 Security Testing, Surveillance and Monitoring

8. DS5.9 Malicious Software Prevention, Detection, and Correction

9. DS5.10 Network Security

10. ME1.3 Monitoring Method

Supporting Explanation for Check-list Item Number 1

The first step in a security checklist for XYZ Company is COBIT PO1.3, an assessment of the current capability and performance of solution and service delivery. The assessment should measure IT’s contribution to business objectives, functionality, stability, complexity, costs, strengths, and weaknesses. While this assessment will be useful for security purposes, all areas of IT can use it because security capabilities are a subset of overall IT capabilities. It will provide a baseline to which to compare future changes. Since XYZ is not a new company, they must have existing infrastructure and services in place. Thus, having a baseline is advantageous because it will allow IT to show tangible improvements to executives, which will help procure financing for future IT endeavors.

Assessing current capabilities will also prevent them from building solutions from scratch when a similar one already exists. By reducing re-work, XYZ can use their funds to the utmost effect. Another side effect of the assessment will be groundwork for the identification of the company’s information assets, which will be important in future steps such as data classification. According to COBIT, the assessment should also measure IT's strengths and weaknesses. Some of the weaknesses will undoubtedly be security related and give XYZ Company areas on which to focus improvements.

To accomplish the assessment, IT will have to interview people across the enterprise. In XYZ Company’s case, this will include manufacturing facilities, suppliers, and its university research centers. Additionally, IT will perform customer surveys for its website and other sales channels. External auditing of the findings is not necessary because there is little motivation for employees to overstate capabilities. If they do, their resulting targets will be unreachable and thus they will under perform later. If they understate their capabilities, they will be chided for current inefficiencies. Thus, the overall assessment should be accurate. The most cost effective way to aggregate the data will be though a database, on which analysts can perform queries later. IT personnel will also have to travel to the locations to assess the security capabilities, as getting accurate security assessments from non-security personnel will be difficult. This will probably be the most expensive facet of the assessment.

This assessment is recommended for XYZ Company because they have a complex value chain as well as multiple sites. Their sales through multiple channels have created the opportunity for fragmented information systems across sites. Additionally, the universities where they conduct offsite research will undoubtedly have their own security procedures. This creates the opportunity for nonconforming security practices, including ones of which IT may not even be aware. Documenting all these procedures is important in developing a comprehensive enterprise-wide security plan, as fixing unknown weaknesses is virtually impossible. Creating the security plan is covered in a later checklist item.

Supporting Explanation for Check-list Item Number 2

After completing the assessment of current capabilities, the next step is to establish an enterprise-wide classification scheme, as outlined in COBIT PO2.3. Classifications should represent the criticality and sensitivity of the information. The assessment of capabilities should provide a good starting point as the company has already identified all information-based processes. Classifying the information assets is important because all companies have limited resources. If XYZ Company tried to apply the same security procedures across all its information assets the costs would be exorbitant. Protecting past press releases, for instance, does not warrant the same protection as the herbal formulas. Therefore, spending the same money to secure them is not prudent. The classification scheme will allow XYZ to spend only what is necessary to secure their information assets. Another important aspect of the classification scheme is identifying the information assets’ owners. IT will then have a contact that will prove valuable should anything befall the asset.

To accomplish this classification, the recommended tool is an information asset table. This way, there is a single place where all the assets are recorded. A simple database would provide the most efficient way of determining the assets with characteristics in common. Items such as herbal supplement formulas, customer credit cards, and products under development would have the highest value, both in terms of actual and total loss, which includes potential loss from the tarnished corporate image. Three groups for asset value are common: high, medium, and low. While more groups may add additional granularity, they will also create additional employee confusion as to which category the information belongs. The Compliance and Risk department should be ultimately responsible for collecting the data; however, the CEO, CIO, and other executives should be consulted and accountable for its contents.

To make the task of cataloging all the assets manageable, one way is to approach it as two separate logical pieces. The first is enterprise applications, an example of which would be the inventory management application at XYZ’s factories. The inventory management application is important because it allows the factory to operate more efficiently. Another example is the instructions for the machines that package the supplements. The instructions to operate the machines are more valuable because without them, XYZ cannot produce any products, which is its only source of revenue. The best way to obtain information on enterprise applications is to interview the application administrators, since they are the most intimately involved with them. The second logical section of information assets is the individual files on employees’ computers. This type will be most prevalent in areas where group work is common, such as research at the universities or sales teams. The best way to obtain this information would be through a survey of all knowledge workers in the organization. Anyone who works with knowledge such as sales, research, or management should be surveyed regarding their information assets.

Throughout the process of classifying the assets, one question that might arise is what granularity should be cataloged into the table. The easiest way to determine how specific the table should be is to ask whether the entire item should be available to anyone who can access it. For instance, should everyone who is able to view customer information be able to see customer credit cards? Since the answer to this question is no, then it follows that a customer is separate from credit card information on the asset table, since they will have separate classifications and thus security requirements.

Once this information has been collected, the next step is to determine any discrepancies between who can access the assets and who should be able to access them. IT must look at this information from both the benign employee and malicious hacker perspectives. This will provide places to focus later security efforts. By plotting the value of the asset against the ease of damaging the asset, the organization can determine which have the highest priority.

Completing the assessment of the capabilities is important for XYZ Company for several reasons. First, as a retailer, their corporate image is crucial to their marketability. If they do not secure customer data customer confidence will wane, which will significantly affect future profitability. Second, because they develop new supplements, their research is business critical. Since they are spread across multiple locations, a central repository for the information assets is the best solution for XYZ to prevent confusion and loss of information. This way, all assets can be secured appropriately.

Supporting Explanation for Check-list Item Number 3

Another important item for XYZ’s security checklist is COBIT AI6.1, which specifies formal change management procedures that allow XYZ to handle change requests in a standardized manner. Formal procedures would create oversight during the change process, which would prevent a single person from being the only one with system knowledge. It would also provide oversight when granting access to secured resources, minimizing errors and improper access levels. Standardizing changes is also important in ensuring an audit trail, which can be used if there is a system failure or a security breach. This way, systems can be restored to the working specifications quickly and easily. Since XYZ is a web retailer with customer information potentially exposed over the Internet, it is important for any changes to firewall or server configurations to be reviewed by several qualified people. A change process would ensure this oversight occurs.

The Caregroup case is an excellent example of a healthcare organization that did not have formal change procedures and ended up with an out-of-spec network. When an overload occurred, it collapsed. Then, because they did not know what changes had been performed, they had to rebuild a large portion of their core network. It took them a long time to understand the root cause of the collapse. In order to prevent a similar situation from happening to XYZ Company, formal change procedures should be enacted.

The first step is to organize a task force to design the procedures. The task force should include at least the CIO, IT personnel, and system owners. Their goal should be to decide what and how changes should be tracked. Functionally, the system should include a centralized repository to store all the change information. The repository will prevent changes from being overlooked and eliminate excuses regarding lost paperwork. Since configuration changes will be made by security personnel, a fancy graphical front-end for the repository is not immediately necessary. However, a GUI that automatically forces approvals and rules based on the action would make the repository much more effective.

A multi-tiered change processes is recommended, requiring different approvals depending on the change’s severity. This would allow the lowest-risk changes to still be tracked, but not encumber employees with an overcomplicated review process. However, the most critical changes, such as those to enterprise-wide security devices, will require a more involved approval process. This will prevent making catastrophic configuration errors. One required procedure for an enterprise-level change process is testing. Creating a test environment, and enforcing its use through the system, would provide XYZ with a powerful tool to ensure the change has its intended effect. The system will also enforce proper documentation and post-audits for critical changes.

Another area covered by change procedures is patch management. Since they have multiple facilities and allow employees to access the Internet, it is imperative that operating systems and software be kept up-to-date to prevent hackers from exploiting known vulnerabilities. Keeping the software up-to-date will make it difficult for “script kiddies” to penetrate the systems, drastically narrowing the field of would-be hackers. In order to manage systems’ patch states efficiently, the multitude of patches and disparate locales necessitates a change management system. Tracking patches without a change management system would be extremely labor intensive, as well as slow down compliance.

The change standards and procedures are important for XYZ Company because they have many configurable network and security devices. Without procedures for changes to these devices, they may run an insecure, unstable configuration due to the mistake of one operator. The standards mitigate this risk by requiring multiple approvals. Since they have a VPN for executives and researchers, web servers for their online retail site, and wireless access points, they have many different devices that will require patches, updates, and configuration changes. The change procedures and centralized repository will make all these changes manageable.

Supporting Explanation for Check-list Item Number 4

COBIT DS4.1 specifies an IT continuity framework to support enterprise-wide business continuity management; this is also important for XYZ Company. A continuity framework has several facets. First, it assists in determining the required resilience of IT infrastructure and drives the development of disaster recovery and contingency plans. Second, it contains the roles and responsibilities of service providers and management with regard to documenting, testing, and executing the contingency and recovery plans. Last, it should identify critical resources and their dependencies.

Continuity is very important for any retailer, especially one that operates over the Internet. Since they also sell through conventional channels, they have slightly more flexibility in IT continuity than a web-only retailer, but the website’s contribution to total revenues is unknown. Regardless, losing one of its sales channels would damage the company’s profitability, so continuity planning is necessary. Since IT is involved in the communication between manufacturing facilities and headquarters, contingencies for this link are important, in case it ever goes down. In addition, customer data must be protected. Since herbal supplements are a usually a recurring purchase for customers, reminding and marketing to existing customers is a key source of revenue, and so this data must be preserved. Last is research information; while the timeliness of restoring it is not as critical, it must be preserved so that the company’s R&D investments are not wasted.

The first step in specifying a continuity framework is to consult the information asset table assembled during the earlier checklist items that contains the asset value and its classification. This will provide a basis to determine the amount of expense to spend on continuity. Some systems require an immediate return to operation, even though their source data may not be restored until later; other systems can afford a longer downtime, as long as information is not lost. For example, XYZ’s quarterly financial information is needed to close the books at year-end. However, it is not immediately required following an outage. Research formulas fall into the same category. For this information, it is recommended that the company send backups offsite to a safekeeping facility. Since they will be leaving the site, they should encrypt the backups to protect the data. Although it will take longer to retrieve the data, the company is assured of its ability to be retrieved. The opposite example would be the website. If it is not available, a portion of the company’s revenues will cease, endangering XYZ’s viability. Thus, it is imperative to get the system operational as soon as possible. For these systems, a parallel redundant system is recommended. One way to accomplish this would be to house web servers at multiple datacenters. This way, if there is an outage at one center, XYZ Company can seamlessly load balance operations over to the other data center. Since redundant systems are expensive to implement and maintain, limiting their use to the immediately needed systems is advisable.

Once a continuity plan has been created for all the systems and data, the next step is to run regularly scheduled tests to verify the efficacy of the plan. Creating mock outages will assist in the discovery of potential issues with the recovery plan. For instance, requiring an individual to perform two tasks simultaneously or performing restores with data not yet available from offsite storage are both issues that testing would uncover. Testing will also uncover problems arising from system changes during the intervening time between plan creation and testing. Since a business is a dynamic entity, these changes are inevitable and uncovering them is critical to the viability of the continuity plan. Another vital test to run is a restore test on the backup media. It is common for businesses to feel secure because they have backups, only to discover that the backups are corrupt when they are needed. To prevent XYZ from experiencing this, regular test restores of backups should be performed.

This solution is recommended for XYZ Company because they have many types of data and systems. They are large enough to conduct research and development with universities, so it can be inferred they have significant regulatory financial reporting requirements. To ensure they meet these obligations, they will require offsite hardened storage facilities. In addition, they do not have the resources to have redundant systems everywhere, so determining the systems whose operation is most vital will allow business to continue after a catastrophe. Businesses that operate on the Internet, like XYZ, must remain available to customers to sell their products. Almost half of companies never recover from disasters, so an investment in a continuity framework will help when the inevitable disaster does occur.

Supporting Explanation for Check-list Item Number 5

Another checklist item for XYZ Company is COBIT DS5.2, which requires the formulation of an overall security plan that takes into account the infrastructure and security culture. It must encompass the business, risk, and compliance requirements. The plan must then be implemented and communicated to stakeholders and users.

The security plan is important because it is the supporting documentation for the security culture. The culture determines whether security is seen as overhead or as an integral part of the organization. If executives view security as overhead, it will be very difficult to get funding for ongoing security initiatives. Another risk is that when finances are tight security measures may be among the first items to be cut from the budget since they are viewed as a cost center. This short-term reasoning will lead to future problems. There is also a tendency for management to push to complete projects quickly, regardless of the security measures in place. Insecurity in a new product may compromise all the other security investments throughout the organization.

Another risk derived from not having a corporate culture focused on security is the circumvention of change procedures. An earlier checklist item demonstrated the need for formal change procedures. However, without corporate culture backing up those procedures, employees may be allowed or even encouraged to fix a problem quickly without documenting their changes. This makes the change procedures useless, even harmful, because the organization believes they can utilize the benefits of the change repository when in fact the information contained within it is incomplete. Additionally, in the rush to fix a problem, an unapproved change might expose the entire network.

Developing a corporate culture where security is a central theme is not an easy task. The decision to do so must come from the top of the organization. However, before the culture can be disseminated, the company must develop a security plan. Getting executives involved in the security plan is crucial. While its responsibility lies with the compliance officer, the CIO, CFO, and business process owners must also be consulted. An effective plan must call for appropriate investments in personnel, software, and hardware. In terms of personnel, XYZ will have to hire a company to perform external vulnerability scans since they accept credit card payments via their website. This review is specified in the Payment Card Industry Data Security Standard. In addition, consultants may need to be hired for change reviews to network devices. The redundant systems specified in the backup procedures section will also have to be implemented. All of these items, and more importantly, the willingness to undertake their expense, must be in the security plan.

Once complete, the security plan must be communicated to the organization. This is another critical step because an excellent security plan kept executives’ drawers until a disaster occurs will not help the organization. The security plan must be communicated to employees, and parts of it even to customers. They must know that XYZ is serious about security. Suggestions for disseminating the plan include having a yearly corporate security class that must be completed by all employees, as well as integrating it into new hire training. A security policy on their website will communicate their intentions to customers.

Creating a security plan is important for XYZ Company because their overall security is dependent on employees in all areas of the vertically integrated organization—from research and development to manufacturing to retail sales. Unless all of the employees at their various locations know the importance of security to the organization, no amount of technology will help their security. Their acceptance of credit cards also necessitates audits and other security requirements. The security plan can help them fulfill these obligations.

Supporting Explanation for Check-list Item Number 6

Checklist item six is COBIT DS5.3, which calls for identity management with a centralized repository. Organizations should ensure that all users and their activities on IT systems are uniquely identifiable. It also calls for users’ access rights to be approved and in-line with business needs.

This item is important because it serves two functions. First, it prevents users from accessing resources without authorization. This includes internal users, such an employee in accounting accessing drug formulas, something his or her job description clearly does not require. It also includes user authentication, which prevents external users, such as hackers, from being able to access corporate resources. Since XYZ Company has a wireless network at one of its manufacturing facilities and the corporate headquarters, identity management can be one line of defense against external wireless users from accessing internal resources. This topic will be covered in greater depth in a later checklist item.

Second, identity management provides accountability by having a legally enforceable, non-repudiatable assurance that the user performing a given action is indeed the authenticated individual. Identity management can discourage some system misuse, since employees know there will be an audit trail, and cannot repudiate their identity. The accountability can also be used for electronic document signing, thus eliminating paper storage hassles. For example, the required signatures can be obtained electronically for a firewall configuration change, saving the employee from having to locate physically all the necessary approvers, storing the approval form, and being able to produce it easily during an audit. This convenience will translate into increased worker productivity.

The most cost effective way to realize the benefits of identity management is first to consolidate all users into one repository, such as Microsoft’s Active Directory. Existing applications may need modification to pull authentication from this source. Using Active Directory with Kerberos makes it easy to authenticate users within the company by allowing devices that trust the server to trust other devices authenticated with the same Kerberos server.

Next, to increase the assurance that the person authenticating is the authorized person, XYZ should add multifactor authentication. Adding something you are, such as a biometric, to the existing password system, which uses something you know, will greatly increase security. Since malicious users can guess or brute-force passwords, adding the additional insurance of a fingerprint scan would make it much more difficult to gain entry. Fingerprint scanners are desirable because the company has many employee touch points. Implementing iris scanning at every terminal would therefore not be practical. Fingerprint scanners have come down in price significantly in recent years, and many computer manufacturers are even including them on laptops. The swipe type of scanner is preferable because it reduces the likelihood that someone can use the residual fingerprint from a previously authorized user to gain access.

There are also other alternatives to biometrics, such as a public key infrastructure (PKI). One notable implementation of this system is Johnson and Johnson. The initial investment in the keys may be cheaper then fingerprint scanners; however, the ongoing administration headaches, specifically the revocation or replacement of keys would overcome the cost differential eventually. Biometrics alleviates these concerns because fingerprints cannot be misplaced. Systems store the results of a one-way algorithm on the fingerprints rather than the actual fingerprint, mitigating privacy concerns. Additionally, removing a user’s prints from the single repository is much easier than collecting a key. Thus, the multifactor authentication with biometrics is a viable alternative to PKI.

To enable user actions to be legally enforceable and non-repudiatable, XYZ should enable IPSEC authentication header for all networked devices. This will provide proof that transmissions are from the originating parties and have not been tampered with, thus enabling the aforementioned electronic signatures. IPSEC AH prevents the checksum in the packet header from being spoofed.

The multifactor authentication with fingerprint scanning if desirable for XYZ Company because their product’s value is derived from patented information. They must protect their corporate secrets to remain profitable. Fingerprint scanning is the most cost-effective biometric technology available as a second authentication factor. Using the multifactor authentication, XYZ can ensure that only authorized users can access resources, and that the authenticated person is the authorized user. Additionally, since they are selling herbal supplements, which are a product that people ingest, they have high exposure to lawsuits. Providing signature tracking and accountability through the IPSEC authentication header is therefore a good solution to create a legally enforceable electronic signature. This will provide some measure of legal protection by showing XYZ has performed its due diligence.

Supporting Explanation for Check-list Item Number 7

The seventh checklist item is COBIT DS5.5, which specifies proactive IT security testing. It also specifies logging and monitoring functions that will facilitate early warnings of abnormal activities. Proactive testing can help an organization find weaknesses in its security measures before hackers find them. They can also assure external investors of the company’s ability to protect its secrets. In an industry where patented formulas create profitability, this is especially important. While a corporation’s image may suffer from a security breach, not knowing of the breach can be even more detrimental. Unchecked, supplement formulas could be leaked to competitors indefinitely, seriously undermining XYZ Company’s profitability. Even more subtle, information could be manipulated, damaging supplement formulas or deleting customer orders. The resulting customer relations issues would also damage XYZ’s bottom line. Security intrusions can bring down a company, and thus cannot be taken lightly.

The suggested method for detecting an intrusion is an intrusion detection system, or IDS. It looks for known attack signatures or other network anomalies and alerts IT personnel. However, a single IDS is monolithic and so additional protection is necessary. A second type of IDS is a host detection system, which should be installed on all corporate computers. This software will look for changes to key files, such as the Windows registry, user accounts, or security policies. By pursuing a defense-in-depth strategy, the likelihood that IT will detect successful attacks increases. Early detection will allow XYZ to respond quickly and minimize the damage.

Another suggested monitoring method is the audit of security by an independent third party. Although the consultation might be costly, it is imperative to consult experts who do not have a stake in whether the security passes muster. Security auditors may also have specialized skills that IT might not possess. Obtaining security certifications is costly and the required skills change often, so maintaining an internal expert for every security measure can be expensive. For companies that are not of sufficient scale, maintaining their own experts will not be worth the expense. Transferring the cost to an external auditor therefore makes sense.

Since IT is accustomed to maintaining and implementing security equipment, such as an IDS or firewall, they may not have sufficient experience thinking like hackers. One technique to overcome this is to employ a white-hat, or ethical, hacker to socially engineer and penetrate the company. They have the most experience available at finding weaknesses in XYZ’s security. However, in addition to the cost there are other risks in this approach. Even after verifying proper references, it is difficult for the company to guarantee the hacker will not abuse his or her power. Thus, this option should be employed with care, usually after repeated breaches of the existing system. Since this is not the case for XYZ, it is best kept as a future option.

While XYZ has a couple manufacturing facilities and research partnerships, they are probably not of the scale to salary all the necessary security experts. Since penetration testing is an important facet of security readiness, hiring external experts is the best way to accomplish the testing. It is also always a good idea to have a non-stakeholder examine security to provide a fresh, honest perspective. In addition, implementing the IDSs at multiple levels will provide excellent, redundant monitoring, quickly notifying IT of any penetrations.

Supporting Explanation for Check-list Item Number 8

Checklist item eight corresponds to COBIT DS5.9, which calls for preventative, detective, and corrective measures to protect systems from malware. Common types of malware are viruses, worms, spyware, and spam. Spam is a growing problem in an email-driven business environment. The constant deluge of spam floods the email server, as well as serving as a delivery mechanism for other types of malware. Preventing it from reaching employees can thus help prevent virus infection. Spyware is also dangerous; it can install a keylogger on the target device. The keylogger then captures every keystroke, including users’ passwords and other sensitive corporate information. Viruses can damage system files, resulting in many IT person-hours to fix the device. In addition, they can corrupt data, which IT may not be able to restore. Worms are perhaps the most dangerous of all. They operate like viruses, but do not rely on human intervention to spread. Thus, a worm can spread throughout a network extremely quickly. All of these forms of malware warrant the attention of IT, as their cost to organizations can be great. XYZ is not unique in this area. They provide employees with access to the Internet and external email, so they have the same risks as other organizations. How they mitigate the risks will be the key to IT’s success or failure.

The first step to protect a network from malware is to educate users. Users should be aware of the dangers of opening unsolicited email, as well as common schemes used to spread malware. Teaching safe-surfing habits will also reduce the likelihood employees will download dangerous software. It will also discourage subversion of the other preventative and corrective software. If employees understand the dangers posed by these threats, they will be less likely to disable the protection mechanisms. The easiest way to disseminate this knowledge is through training classes. Requiring employees to take a class every year will reinforce the messages. It should also be integrated into the new-hire training program. Classes are a cost-effective way of teaching many people homogeneous information.

In order to reinforce the user education, a comprehensive technology use policy is needed. It should discourage users from engaging in harmful Internet activities. It should also contain a provision disallowing the installation of unauthorized programs on company devices. Clearly defining and prohibiting unacceptable, high-risk computer use such as pirated software, pornographic and gambling websites, and peer-to-peer software will allow employees to know their boundaries, as well as specify harsh penalties for policy violations.

Policies alone are not enough. In order to prevent device infections effectively, a company must implement software solutions as well. Every device should have virus protection installed on it, and it should be enabled at all times. A real-time virus scanner is the last-line of defense against infection. However, it is only effective after the virus has been identified elsewhere and a signature created. For this reason, it is imperative to ensure that new virus definitions are upgraded quickly throughout the organization. Choosing a specialized software package, such as Symantec’s corporate version of their antivirus software, is advisable. It allows the centralized configuration of virus definition updates. Additionally, mandatory weekly scans, another recommended action, can be centrally enforced as well.

Antivirus software will stop most viruses and worms; however, it is not very effective against spyware. To combat spyware, a second type of scanner is needed. Spyware scanners look at they registry and key system files to determine if they have been altered and have signatures associated with known spyware applications. Having them on all devices is recommended. There are many anti-spyware tools such as Ad-Aware, Spybot, and Windows Defender. Windows Defender has the advantage of being bundled with the latest release of Windows, Vista. Because it does not add additional expense, XYZ should select it. Real-time scanning is also available for spyware. Integrated solutions that add spyware scanning to the already memory-resident antivirus program are available; however, in order to promote the defense-in-depth strategy, using a separate program is a better solution.

Some secondary protection against spyware and worms will come from the personal firewalls installed on every device. This software will be covered in detail in the next checklist item. The firewall software will notify users when a program attempts to send unrecognized outbound communications. This way, users can acknowledge whether the communication was expected and authorized. With proper user training, this can be an effective notification method for determining that a computer has been compromised.

A spam blocker is also important to prevent the spread of malware as well as increase employee productivity by reducing the time wasted sorting through spam. Since spam changes constantly, and the sophistication of spammers is ever-increasing, software installed on the corporate mail servers is vital to stop the flood. Companies who create the spam filter software have the advantage of seeing millions of these emails per day and can therefore develop the most effective heuristics to identify the messages. Therefore, XYZ should implement a well-known software package for spam blocking. Additionally, most email clients also provide spam blocking, which is another line of defense.

The SANS Institute’s top twenty critical vulnerabilities and other articles are also effective tools for system administrators to keep abreast of the latest Internet malware. SANS conducts seminars and has certifications for administrators to increase their awareness and skills. Having a prepared security force when infection occurs can be the difference between a nuisance and a catastrophic event.

Unlike the other checklist items, most of these actions are not tailored specifically to XYZ Company because the need for companies to protect themselves from these threats is universal. If employees have access to the internet, these threats are present. Since XYZ’s CEO is not willing to compromise on Internet access, mitigating the risk is the only option. Thankfully, because the threat is so ubiquitous, solutions are not very expensive. These solutions are good for XYZ because they are inexpensive, while providing many layers of defense against malware.

Supporting Explanation for Check-list Item Number 9

Checklist item nine is COBIT DS5.10, which specifies the use of security techniques and management procedures to authorize access and control information in and out of networks. The most common security device to accomplish this is a firewall. Firewalls are important because they act like a filter, screening the network traffic. They only allow authorized traffic to reach corporate devices. This way, the intranet is not exposed to the Internet, and corporate traffic can be kept secure. They are usually the first line of defense after the router, and therefore have an excellent chance of intercepting unauthorized traffic. In short, they allow organizations to experience the benefits of internal networking and the Internet simultaneously by controlling the flow of information.

There are two types of firewalls. Generally, the tradeoff is between speed and security. The fastest firewalls only inspect the packets in isolation. More advanced firewalls will inspect the entire packet and track whether the communication was authorized. These are called stateful packet inspection firewalls. The best network topology for XYZ Company, since they have an external website, is one with a demilitarized zone, or DMZ. The DMZ calls for a border router as the main connection to the internet. The router can perform the basic packet filtering. It is followed by a firewall, which will perform the packet inspection. This firewall will only allow incoming traffic that is on authorized ports, such as web port 80 and encrypted web port 443. Next, the external servers are connected inside the DMZ. They will have their own proxy firewalls that only allow authorized services. Next, another firewall between the DMZ and the corporate network serves as additional defense, preventing even the allowed web traffic from venturing onto the internal network. Last, each device on the internal network should have a host firewall as the last line of defense from network traffic. Multiple layers of defense will be the most effective at preventing network intrusions.

Configuring the appropriate ingress and egress filter rules will determine the effectiveness of firewalls. Inbound items to block include packets with non-routable IP addresses, blacklisted sites, unassigned addresses, and XYZ’s own IP address. In addition, packets with IP options, TCP flags that might be used to scan, most types of ICMP packets, packets with an illegal size, and ones destined for ports that run dangerous services should also be blocked. Outbound packets to gambling or pornographic sites should be filtered. Additionally, packets that do not have XYZ’s IP address should not be allowed out; this will prevent spoofing attacks from originating within the company. The recommended approach when writing both inbound and outbound access control lists is for the last rule to block all traffic not explicitly allowed. This will help prevent loopholes in the configuration. Last, the proxy firewalls on the servers in the DMZ should be configured to respond to external requests, but not be able to initiate new connections. This will prevent the device from “reporting home” should it ever be hijacked.

Since firewalls are so crucial to corporate security, additional measures to protect them are necessary. Preventing physical access to the firewall will secure it against tampering. Firewall logging should also be enabled, and the logs monitored and analyzed. Changes to the firewall configuration should be subject to the formal change management procedures specified earlier. It is also imperative that changes to the firewall configuration be tested. A testing environment is the easiest and most effective way to do this. Thus, before making changes in the live environment, IT can ensure the change does not have any unintended side effects. Network sniffers can be used to verify that only the intended packets make it through the firewall. If the firewall access control lists do not function as intended, the firewall will be ineffective.

Another facet of controlling access to XYZ’s company resources is securing the wireless access recently implemented at the corporate headquarters and one manufacturing plant. If configured properly, wireless can be a convenient, secure addition to the network infrastructure. To secure it, the wireless access points should be placed inside the DMZ. This way, they are subject to the same firewall rules as un-trusted sources. In order to access the internal network, users will have to create a virtual private network, or VPN, connection. VPNs will be discussed in further detail below. Another security measure is not broadcast the network SSID; this prevents hackers from recognizing that the network belongs to XYZ, making it a less enticing target. In addition, to prevent sending confidential information over wireless in clear text, encryption should always be enabled on all access points. Since there are inherent weaknesses in WEP encryption, using WPA-2, which uses a strong encryption scheme like the Advanced Encryption Standard (AES) is advisable. Last, IT should also perform regular audits to ensure that no employees have placed rogue, or unauthorized, access points. With these security measures in place, XYZ can continue its rollout of wireless access to additional facilities, allowing them to experience its convenience as well, while being confident of their security.

The third method of securing access to and from XYZ Company is a VPN. Since XYZ allows research scientists and senior financial executives to work from remote locations, a VPN is critical to their secure access of the corporate intranet. The addition of wireless also requires a VPN to function securely. VPNs create secure tunnels through which traffic is encrypted using IPSEC ESP or SSL. Thus, the remote devices can operate as if they are directly connected to the corporate network. Some configuration is necessary, however, to ensure that the VPN is secure. VPN split tunneling should be disabled. Split tunneling allows clients to segment their traffic and only route a portion of it over the VPN. This can create problems if the client machine is compromised. Because not all the traffic is subject to corporate firewalls, malware and hackers can use the machine as a gateway to route traffic onto the internal network, causing additional machines to be compromised. It is best to disable this feature, as it leads to reduced security.

These are the best solutions for XYZ Company because the CEO sees value in providing Internet, remote, and wireless access to employees. The benefits created by allowing the use of these technologies are significant enough to accept the security risks. The CEO’s understanding of the risks, and the associated expenses to mitigate the risks, make this solution and its costs viable. XYZ is not alone; other companies deal with these risks daily through their implementation of firewalls, wireless encryption, and VPNs. By implementing the aforementioned measures, XYZ can utilize these technologies without compromising its security.

Supporting Explanation for Check-list Item Number 10

The last checklist item is COBIT ME1.3, which calls for the deployment of a performance monitoring methodology that records targets, captures measurements, and provides a concise, balanced view of IT performance. This item is important because security is not an end in itself; it is a continuous journey. Organizations need to determine the effectiveness of their security measures and ensure that the security money is well spent. If one security initiative is ineffective, it will be difficult to convince management of the value of other initiatives. However, there is more at stake than security funding; security incidents can be very detrimental to overall company viability. Ensuring that every security dollar contributes to protecting the company is therefore vital.

Methodologies to assess organizational security performance include total quality management, six sigma, and balanced scorecard. Balanced scorecard, the focus for XYZ Company, evaluates security on four separate measures: financial, customer, internal processes, and learning and growth. It is a proven methodology, which has been around for fifteen years. Having multiple perspectives is valuable because it provides a complete picture of security. When choosing metrics for the dimensions, it is important to pick a variety of indicator types. The scorecard should contain both leading indicators, such as critical system availability, and lagging indicators such as the percentage of successful data restorations. Both process drivers and outcomes should also be included in the metric mix. Some metrics should measure the efficiency, or how optimal the controls and processes are, while others should measure the effectiveness, or how well are the company is achieving the metrics. An efficiency metric example is the mean time to apply software patches, while sample effectiveness metric would also be the critical system availability. All metrics should be compared to targets and benchmarks to assess performance over time. Additionally, looking at metric trend data can help identify weaknesses or lapses in security performance.

Metrics should have several key characteristics. First, they should be quantifiable, meaning they should have explicit items to measure. If the metrics are open-ended, it will be difficult to codify the organization’s performance. Second, they should be repeatable. This ensures that independent verification would result in the same outcome. If the process cannot be verified, the numbers are not meaningful because they are too easily manipulated. Third, they should be cost effective to collect. If a large portion of the security budget is spent assessing the security budget’s performance, dollars are being wasted that could be spent on improving security. Fourth, the metrics should be easy to understand. If executives cannot understand them, communicating security needs and obtaining funding will be difficult. Last, and probably most difficult, the metrics should be meaningful. Having all the other criteria is useless if the metrics do not accurately reflect the security state of the company.

Security performance is not the only concern, though. Organizations must also ensure that their security dollars are spent as effectively as possible. One metric to measure this is the return on security investment, or ROSI. ROSI is somewhat of a misnomer because security is not actually “returning” any money to the company; it is preventing additional expenditures. However, it does allow discounted expenditures and benefits to be measured over the expected life of the security investment. Thus, management can use the metric to compare several security initiatives.

Since the results of the balanced scorecard need to be communicated to personnel throughout the organization, a clear, concise communication tool is needed. The most popular one is a scorecard. A scorecard allows management to assess security performance at-a-glance. It is an invaluable tool because performance information is not actionable if the executives, managers, and personnel are not aware of it. The continuous improvement demanded by balanced scorecard is only possible through thorough understanding of one’s contribution to the metrics.

Actual metrics for XYZ’s balanced scorecard financial perspective would be return on security investment and remaining security budget. Customer metrics include customer satisfaction survey results and critical system availability. In the internal processes perspective, metrics include the percentage of successful data restorations, mean time to implement software patches, and average downtime from security incidents. Last, learning and growth includes metrics on the percentage of security employees with training and the total security training hours. These are only suggested metrics for the first iteration. Balanced scorecard calls for an iterative process that repeatedly evaluates and improves the metrics. The more representative the metrics are of the actual security processes, the better the processes can be managed.

Balanced scorecard is the best solution for XYZ Company because it will allow them to focus their security efforts. It will allow security to be seen as a corporate enabler, rather than as a cost center. This will make it easier to obtain and maintain funding for security initiatives. Additionally, the methodology will allow XYZ to use their security funds in the most effective manner possible. The four varied perspectives will reinforce that security is a management rather than technical issue by demonstrating that security improvement can be realized through process management. Overall, balanced scorecard provides a comprehensive, proven method through which XYZ will view security as an ongoing process that requires continuous improvement.

Get Better Grades Today

Join and get instant access to over 60,000+ Papers and Essays

Please enter your username and password
Forgot your password?