Information Security for “Astra-World” Essay

Overview

As information is becoming one of the main assets of modern companies, the influence of information technologies on business processes is constantly increasing. Accordingly, the requirements for the level of security of the informational system are also increasing along with the safety of the data and its accessibility. In that regard, our company -“IS Consulting”, provides a full complex of services of information protection and a wide spectrum of solutions for the provision of the security of the information systems of any difficulty.

At the current time, when procedural, technical, and technological aspects of the exploitation of the systems of informational security of the company demand a high level of specialists’ preparation, it is economically effective for many companies to use the services of organizations which are system integrators. It is not necessarily an episodic or one-time consultation service, such as incidents’ investigations in the area of information security. In that regard, “IS Consulting”, having large personnel of highly qualified experts in the field of informational security along with all the necessary technical means and efficient procedures, provides a wide spectrum of consultation services in the field of information security.

The Organization’s Security Needs

“Astra-World” is a theme park located in Orlando, Florida, focusing on the space theme. The park has a staff of 150 employees, varying from service duties to managerial and administrative positions. The informational security of the park consists of a system of subscription, in which customers can be by a monthly and annual subscription to visit the park and which contains personal information of the subscribers. Additionally, the park has a network, which has a database of customers’ credit cards, which paid for the subscription.

The park also has a system of communications that connects the park’s offices, as well as the surveillance system which is located throughout the whole park. After the occurrence of a few incidents, such as attacks on the information system of the park, which caused the downfall of the database, attacks on the corporate website, and breaking and stealing the information regarding customers’ credit cards, the management of the park decided to implement a new system of information security.

This security issue has also brought a controversy through several customers filing complaints regarding their privacy, where several employees have used the surveillance system to record videos of the visitors and publish them on various websites on the internet. The company does not have a particular policy regarding the information security and assurance program. “Astra-World” requested “IS Consulting” to develop a formal information security system, which will deal with the aforementioned issues effectively. Accordingly, the needs of the organization could be summarized as follows:

• A protected system of authorization – as dishonest employees make up 13 percent of information protection problems(Peltier, 2002, p. 8), this issue is specifically important for theme park management.
• Protection from hackers –the term refers to those who “break into computers without authorization or exceed the level of authorization granted to them.” (Peltier, 2002, p. 9)
• Develop a security policy for the user of the informational system of the park – a protection policy is the “documentation of enterprisewide decisions on handling and protecting information.” (Peltier, 2002, p. 9)
• A system of encryption of important data in the information system.
• Trained personnel able to manage and update and upgrade the infrastructure of the security system as needed.

Information Security Roles and Titles

A general definition for information security management can be seen as a complex of measures directed toward the provision of the informational assets of the company. In that regard, the informational assets of “Astra-World” can be seen in any digital information stored or exchanged within the informational system of the company such as customers’ data, credit cards information, surveillance records, corporate portal data, financial information or any other documentation exchanged within the business processes of the company. Thus, the main point in information security management is its complex approach, where solving a separate issue, whether technical or organizational, will not solve the problem.

The complex approach implies three basic elements of security, i.e. access control, authentication, and accounting. (Dhillon, 2001) Additionally, as one of the objectives and accordingly necessary enforcement for the security system, is a security policy, focusing on confidentiality, integrity, and availability. The security policy, as defined earlier, should be focused on several issues, which is adapted to the need of “Astra-World”, should focus on the functional aspect of the system, the physical components of the system, the procedures to protect the system, and the organizational aspects of the system, i.e. managing the balance between the accessibility of the system through managerial and employees’ hierarchy, and the operational functionality. (Dhillon, 2001, p. 10)

The roles and the positions within the security system should be divided as follows:

• Chief Security Officer (CSO, or CISO) – in addition to reporting to the company’s top computing executives, the CSO directs the information security department to examine existing systems to discover information security faults and flaws in technology, software, and employees’ activities and processes. In general, according to the financial limitations of the company, the department of information security can be positioned within the IT department of the company. (Whitman & Mattord, 2005) Additionally, he develops the budget for the system, works on strategic plans, and drafts or approves policies.
• Information security consultant –mainly being an outside position, this function is administered by “IT Consulting”.
• Information Security Administrator – the functions of security administrators might be combined with that of the IT department administrators, in terms of the network administering responsibilities. Other administrator responsibilities might include reporting incidents to the Chief Security Officer, supervising technicians, monitoring the performance of the informational system of the company, and
• Information Security Technician – the main functions include technical configuration (e.g. firewalls, software, IDSs), troubleshooting problems, coordinating with systems and network administrators. (Whitman & Mattord, 2005, p. 479) By the company’s specifications, the functions can be seen in controlling and configuring access for different systems, such as the websites, internet access, administering control, etc.

Threat Analysis and Risk Assessment

Before implementing any solutions regarding the strategies of information security of the organization (in both long and short terms), a risk assessment should be conducted. As long as the company is holding the information that represents value to the company, its competitors, or random hackers, the company is taking a risk of losing such information. The function of any informational mechanism of security control should consist of limiting such risk factors with previously established levels. This factor should be true for protection policies, where policies are control mechanisms of existing risks that are designed and developed as a solution to both existing and potential risks. Thus, an all-around risk assessment would be among the first stages of the process of policies formation, where the assessment should identify the weak spots of the system and should define future goals and methods.

The risk assessment process will be conducted by both external agents, i.e. “IS Consulting”, and internal agents, in the case of the present company this job will be done with the cooperation of the existent IT department of the company.

The methodology of assessing risks and threats will be consisting of identifying four aspects which are: assets, threats, risk level, and selected possible control. (Peltier, 2005, p. 44) In that regard, the table of risk and threat assessments will be as follows:

Policies and Procedures

The final draft of the company’s policy and procedures will be revised in accordance with the senior management structure, wherein the present time an outline of the contents of the policy and the procedures could be summarized in the following next points.

• Strict access to the information of the company should be based on the direct functions of the users, with restrictions to their level of access. The implementation will require setting a hierarchical access control system, with documentation in which the logs of the accesses of the users will e stored and analyzed when necessary. The employees “are held accountable for all actions carried out under their user IDs”(Tipton & Krause, 2007, p. 466), taking full responsibility for securing their machines when away from their working place.
• The employee will have physical authentication cards, which will control the access to various facilities of the company. Different cards will correspond to different levels of access. When accessing a facility with a personal card, employees are held responsible for any physical or logical assets in the facility until they exit the facility.
• The internet activity of the employees is controlled within the working place, where each employee should have the possibility to use the internet through user IDs and passwords provided by the administrators. The employees are prohibited from individually downloading and installing any external software from the internet. Additionally, it is prohibited to exchange any electronic correspondence unrelated to the working environment.
• Any information created or used in the support of the company is corporate information owned by the company and considered one of its assets.

The outlined policy issues will be formalized in official documents after it will be revised and approved by the CEO of the company.

Contingency Plan

Contingency can be defined as a “coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information technology (IT) systems, operations, and data after a disruption. “(Tipton & Krause, 2007, p. 1603) The plan includes setting the preventive measures that should be implemented for the information not to be lost. In the case of the “Astra World,” the plan includes implementing common measures such as providing uninterruptible power systems (UPS), alternative generators and emergency master switches for the system.

Additionally, the system should have a backup data storage which should regularly store the data from the main system. The plan should also cover policies and regulations regarding all business units within the organization on how to react in the case of an emergency, including key people, standard procedures, and recovery timeline. (Tipton & Krause, 2007)

Security Education, Training, and Awareness Program (Seta)

A Security Education, Training and Awareness (SETA) program can be defined as “an educational program that is designed to reduce the number of security breaches that occur through a lack of employee security awareness.” (Hight, 2005) In that regard, SETA can be considered as preventive measures, which would involve the human resources to participate in the development of the information security program, rather than technology alone.

The pan of the company will be established to raise the general awareness of the employees to the security aspects of the company, as well as raising the general knowledge of IT basics. Accordingly, the program will consist of two-week seminars and training which will be conducted by “IS Consulting” on a three-day-a-week basis, for a total of six seminars. The participation of the employee should be obligatory, where each training session will be held in the main conference hall of the company, after work for 60 minutes. The outline of the seminars will be as follows:

• Day one – Assessment of the skills of the employees, as well as explaining their role in the area of information security.
• Day two – Individual workplace security management, including outlining such procedures as protection from malicious software and viruses, password change, password storage, and overview of potential risks.
• Day three – Access to facilities, a lecture on the basic issues to examine when entering the facility with a personal ID card or workplace, and the standard procedures when exiting.
• Day four – Review the policies on informational security.
• Day five-overview of the most common security errors that are made in the workplace, e.g. leaving the workplace unsecured.
• Day six – Summing up, an assessment test.

References

Dhillon, G. (2001). Information security management : global challenges in the new millennium. Hershey, PA: Idea Group Pub.

Hight, S. D. (2005). The importance of a security, education, training and awareness program.Info Security Writers.

Peltier, T. R. (2002). Information security policies, procedures, and standards : guidelines for effective information security management. Boca Raton: Auerbach Publications.

Peltier, T. R. (2005). Information security risk analysis (2nd ed.). Boca Raton: Auerbach Publications.

Tipton, H. F., & Krause, M. (2007). Information security management handbook (6th ed.). Boca Raton: Auerbach Publications.

Whitman, M. E., & Mattord, H. J. (2005). Principles of information security (2nd ed.). Boston, Mass.: Thomson Course Technology.