Question details

CMIT 425 7981 Advanced Information Systems Security Risk Assessment Paper
$ 35.00

 

GLOBAL FINANCE, INC. (GFI)

 

Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers.

 

The diagram below displays the executive management team of GFI:

CEO

 

John Thompson

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Vice President

 

 

 

 

 

Executive

 

 

 

 

 

 

 

 

 

Assistant

 

 

 

 

Trey Elway

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Kim Johnson

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Executive

 

 

 

 

 

Executive

 

 

 

 

Assistant

 

 

 

 

 

Assistant

 

 

 

 

Julie Anderson

 

 

 

 

 

Michelle Wang

 

 

 

 

 

 

 

 

 

 

 

 

 

CCO

 

COO

 

CFO

Director of

 

Director of HR

 

 

 

 

Marketing

 

Andy Murphy

 

Mike Willy

 

Ron Johnson

 

 

 

Ted Young

 

 

 

 

John King

 

 

 

 

 

 

 

 

 

 

 

 

Figure 1 GFI Executive Organizational Chart

 

BACKGROUND AND YOUR ROLE

 

You are the Chief Security Officer, hired by COO Mike Willy, to protect the physical and operational security of GFI’s corporate information systems. Shortly after starting in your new position, you recognize numerous challenges that you will be facing in this pursuit.

 

Your primary challenge, as is usually the case, is less technical and more of a political nature. CEO John Thompson has been swept up in the “everything can be solved by outsourcing” movement. He believes that the IT problem is a known quantity and feels the IT function can be almost entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department. In fact, the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Based on this vision, the CEO has already begun downsizing the IT department and recently presented a proposal to his senior management team outlining his plan to greatly reduce the internal IT staff in favor of outsourcing. He plans on presenting this approach to the Board of Directors as soon as he has made a few more refinements in his presentation.

 

COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology services combined with a diminishing IT footprint gravely concerned Mike Willy, and he begged to at least bring in an Information Security expert with the experience necessary to evaluate the current security of GFI’s infrastructure and systems. The COO’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of GFI’s information systems were compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess.

 

COO Willy has reasons for worrying. GFI has experienced several cyber-attacks from outsiders over the past a few years:

 

  • In 2013, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputation. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality.

 

  • In 2014, another security attack was carried out by a malicious virus that infected the entire

 

network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. COO Willy isn’t sure whether the virus entered GFI’s systems through a malicious email, from malware downloaded from the Internet, or via a user’s USB flash drive. Regardless of the source of the infection, the company lost $1,700,000 in revenue and intangible customer confidence.

 

  • In a separate incident in 2014, one of the financial consultants left his company laptop unprotected at the airport while travelling and it was stolen. It contained customer financial data and the hard drive was not encrypted. Financial reparations were paid to impacted customers.

 

  • In 2015, a laptop running network sniffer software was found plugged into a network jack under a desk in one of the unoccupied offices.

 

It is apparent from the number of successful cyber-attacks that GFI is an organization severely lacking in information security maturity. COO Willy has commissioned you to perform a quantitative and qualitative risk assessment of GFI’s infrastructure to determine where improvements could be made to reduce the risk of future attacks.

 

 

CORPORATE OFFICE NETWORK TOPOLOGY

 

The diagram on the following page displays GFI’s Corporate Office Topology.

 

The GFI network infrastructure consists of a corporate WAN spanning 10 remote facilities that are interconnected to the GFI headquarters’ central data processing environment. Data is transmitted from a remote site through a VPN gateway appliance that forms a VPN tunnel with the VPN gateway in headquarters. Through this VPN connection, remote office users access the internal Oracle database to update the customer data tables. Through your inspection of the VPN configuration you discover that the data transaction traversing the remote access connection to the corporate internal databases is not encrypted.

 

Users are authorized to work from home and both dial-up and VPN remote access are available. Dial-up is provided via Private Branch Exchange (PBX) and a Remote Access Server and VPN remote access is provided via the VPN gateway. Authentication is password-based via MS-CHAP V2. Users are also able to take advantage of GFI’s Bring Your Own Device (BYOD) policy and a Wireless antenna allows wireless networking within headquarters. WEP is used to provide wireless security to BYOD users.

 

The network perimeter between the Internet and GFI’s internal network infrastructure is separated by two Border (Core) Routers. These Border Routers then connect to two Distribution Routers and the VPN Gateway. The Distribution Routers connect to a RAS Server, a Wireless Router that provides a bridge between the Wireless Antenna and the internal network, and two Multi-layer switches. The Multilayer switches connect to six (6) Access Layer VLAN switches that segregate the Accounting, Loan Dept, Customer Services, Mgmt, Credit Dept, and Finance VLANs. The Multi-layer switches also connect to a third Multi-layer switch that provides a connection to GFI’s servers in the Trusted Computing Base subnet.

 

The trusted computing based (TCB) internal network is situated in a physically separated subnet. A bulk of the data processing for GFI is handled by an Oracle database on a high end super computer located in the TCB and the TCB also contains an intranet web server used by the internal support team, a Software Update Services (SUS) server used for patch management, an internal DNS server, an e-mail server, and other support personnel workstations. Although each corporate department is segregated physically on a different subnet, they share access to the corporate data in the TCB network.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

90

Wireless 90

Antenn9a0

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

NOTE: The symbol represents a multilayer switch

 

 

CONSIDERATIONS WHEN CONDUCTING THE RISK ASSESSMENT:

 

This Risk Assessment and your suggested security improvements are of critical importance. CEO Thompson is set on outsourcing GFI’s IT competency and you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and over to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator to provide security improvements in certain key areas without a significant increase to the IT budget. It is extremely important that you take into account the value of the assets being protected when selecting security controls to mitigate the risks (i.e. don’t spend $ 1000 to protect an asset worth $500). In addition to what you learned from COO Mike Willy about the previous exploits of GFI’s vulnerabilities and what you gathered when reviewing GFI’s network infrastructure, the COO has provided some additional information that he wants you to take into account:

 

  1. Ever since an article ran in Fortune about GFI, the network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. Suggestions on improvements to perimeter security and/or methods of identifying the source of intrusions should be presented in your risk assessment.

 

 

 

 

 

  1. The interrelationship between data and operations concerns COO Mike Willy. Increasingly, some of the ten (10) remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited. Suggestions on reducing network latency or increasing application response time and availability should be presented in your risk assessment.

 

 

  1. Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the COO is concerned with mobility security and would like you to research best practices for mobile computing. Security within the BYOD environment should be presented in your risk assessment.

 

 

  1. Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the COO is concerned over the security ramifications over the wireless network that is widely open to the company and nearby residents. Security within the wireless environment should be presented in your risk assessment.

 

 

  1. The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based e-commerce platform. However, the COO is particularly concerned over the cloud computing security in case the customer database is breached.

 

 

ASSIGNMENTS

 

  • From the devices and systems identified in the GFI Corporate Network Topology, conduct a thorough asset inventory, assign monetary values to each asset (quantitative), and assign a priority value for each asset (qualitative) that could be used to determine which assets are most critical for restoral in the event of a catastrophic event or attack.
  • Evaluate the perimeter security, make a list of access points internal and external (remote), identify vulnerabilities and make suggestions for improvements to perimeter and network security.

 

  • Evaluate the remote access infrastructure, identify vulnerabilities and suggest security improvements to mitigate risks to remote access.

 

  • Address the COO’s concern over the mobility security and design a secure mobile computing

 

(smart phones, tablets, laptops, etc.) in terms of authentication technologies and data protection.

 

  • Identify wireless vulnerabilities and recommend what safeguards, authentication technologies, and network security to protect data should be implemented.
  • Evaluate the authentication protocols and methodologies within the wired, wireless, mobility and remote access environments and suggest improvements to secure authentication for GFI.

 

  • Evaluate the web system protocols and vulnerabilities within the Intranet server and suggest secure protocol improvements to improve security for web authentication.
  • Design a cloud computing environment for the company with a secure means of data protection at rest, in motion and in process.
  • Assess all known vulnerabilities on each asset in this environment and impacts if compromised.

 

  • Using the asset inventory and the assigned values (monetary and priority) conduct a quantitative and qualitative risk assessment of the GFI network.

 

  • Recommend risk mitigation procedures commensurate with the asset values from your asset inventory. Feel free to redesign the corporate infrastructure and use any combination of technologies to harden the authentication processes and network security measures.
  • Provide an Executive Summary.

 

  • You are welcome to make assumptions for any unknown facts as long as you support your assumptions.

 

  • The Title Page, Table of Contents and References page(s) don’t count in your 15 page minimum!!!

 

 

 

Risk Assessment Paper Rubric

 

You are given a fictional scenario above describing security issues affecting organizational assets. You will identify the risks associated with the assets, and recommend mitigating procedures. You will prepare a quantitative / qualitative risk assessment to address risk factors on organizational assets. Your final paper will be 15–25 pages long in a Word document (double -spaced with 12 point font) with APA citations for the resources you used in your research and will be graded using the following rubric.

 

 

Criteria

Non-compliant

Minimal

Compliant

Advanced

 

 

 

 

 

Inventory assets

Did not inventory or

Inventoried assets but

Inventoried, prioritized

Inventoried, prioritized

and prioritize

prioritize assets in

did not prioritize them

assets, but did not address

assets and addressed

them in the

the order of mission

in the order of

mission objectives in

mission objectives in their

order of mission

criticality. (0)

mission criticality. (3)

their asset priority. (6)

asset priority. (10)

criticality.

 

 

 

 

 

 

 

 

 

Evaluate

Did not evaluate

Evaluated enterprise

Evaluated enterprise

Evaluated enterprise

enterprise

enterprise topology

topology but did not

topology, perimeter

topology, perimeter

topology and

and perimeter

include perimeter

protection measures, but

protection measures, and

perimeter

protection. (0)

protection measures.

did not address mission

addressed mission

protection.

 

(3)

objectives. (6)

objectives. . (10)

 

 

 

 

 

Evaluate remote

Did not evaluate

Evaluated remote

Evaluated remote access

Evaluated remote access

access to the

remote access

access protocols but

protocols, security

protocols, security

networks.

protocols and

did not address

safeguards to the

safeguards to the network,

 

safeguards to the

security safeguards to

network, but did not

and addressed mission

 

network. (0)

the network. (3)

address mission

objectives. (10)

 

 

 

objectives. (6)

 

 

 

 

 

 

Evaluate

Did not evaluate

Evaluated

Evaluated authentication

Evaluated authentication

authentication

authentication

authentication

protocols, methodologies

protocols, methodologies

protocols and

protocols and

protocols,

with supporting data and

with supporting data,

methodologies.

methodologies. (0)

methodologies but

description, but lacks

description; and addressed

 

 

with insufficient data

mission objectives. (6)

mission objectives. (10)

 

 

or inadequate

 

 

 

 

description. (3)

 

 

 

 

 

 

 

Assign asset

Did not assign asset

Assigned asset values

Assigned asset values to

Assigned asset values to

values to

values to

to organization assets

organization assets in a

organization assets in a

organization

organization assets

for quantitative /

complete inventory, but

complete inventory, and

assets for

for quantitative /

qualitative risk

did not address mission

addressed mission

quantitative /

qualitative risk

assessment but

objectives. (6)

objectives. (10)

qualitative risk

assessment. (0)

incomplete. (3)

 

 

assessment.

 

 

 

 

 

 

 

 

 

Assess

Did not assess

Assessed

Assessed vulnerabilities

Assessed vulnerabilities

vulnerabilities

vulnerabilities on

vulnerabilities on

on each asset and impacts

on each asset and impacts

on each asset

each asset and

each asset and

if compromised; of

if compromised; of

and impacts if

impacts if

impacts if

complete inventory but

complete inventory and

compromised.

compromised. (0)

compromised; but

did not address mission

addressed mission

 

 

incomplete. (3)

objectives. (6)

objectives. (10)

 

 

 

 

 

Evaluate web

Did not evaluate

Evaluated web

Evaluated web access

Evaluated web access

access protocols

web access

access protocols and

protocols and

protocols and

and

protocols and

vulnerabilities or

vulnerabilities and Cloud

vulnerabilities and Cloud

vulnerabilities

vulnerabilities and

Cloud Computing.

Computing but did not

Computing and

and Cloud

Cloud Computing

(3)

address mission

addressed mission

Computing

(0)

 

objectives. (6)

objectives. (10)

 

 

 

 

 

 

Criteria

Non-compliant

Minimal

Compliant

Advanced

 

 

 

 

 

Recommend risk

Did not

Recommended risk

Recommended risk

Recommended risk

mitigation

recommended risk

mitigation procedures

mitigation procedures

mitigation procedures

procedures

mitigation

commensurate with

commensurate with asset

commensurate with asset

commensurate

procedures

asset values, but

values of complete

values of complete

with asset values.

commensurate with

incomplete. (3)

inventory, but did not

inventory, and addressed

 

asset values. (0)

 

address mission

mission objectives. (10)

 

 

 

objectives. (6)

 

 

 

 

 

 

Formulate 15-25

Did not follow

Followed proper

Followed proper

Followed proper

pages of a

proper quantitative

quantitative or

quantitative or qualitative

quantitative or qualitative

quantitative or

or qualitative risk

qualitative risk

risk assessment format

risk assessment format and

qualitative risk

assessment format,

assessment format but

and conformed to APA

conformed to APA in a

assessment in

and failed to

did not conform to

but insufficient reference

sufficient reference list

APA format.

conform to APA

APA format. (3)

list and page count. (6)

and page count. (10)

 

format. (0)

 

 

 

 

 

 

 

 

Executive

Did not include an

Included an executive

Included an executive

Included an executive

summary of risk

executive summary.

summary but lacks

summary in details, but

summary in details, and

assessment.

(0)

details. (3)

did not address the

addressed mission

 

 

 

mission objectives. (6)

objectives. (10)

 

 

 

 

 

Available solutions
  • CMIT 425 7981 Advanced Information Systems Security Risk Assessment Paper
    $35.00

    GLOBAL FINANCE, INC. (GFI) Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers. The diagram below displays the executive management team of GFI: CEO John Thompson Vice President Executive Assistant Trey Elway Kim Johnson Executive Executive Assistant Assistant Julie Anderson Michelle Wang CCO COO CFO Director of Director of HR Marketing Andy Murphy Mike Willy Ron Johnson Ted Young John King Figure 1 GFI Executive Organizational Chart BACKGROUND AND YOUR RO

    Submitted on: 28 Apr, 2017 05:49:49 This tutorial has not been purchased yet .