7623ICT | Information and Security | A Case Study of IT Security Plan

Introduction

Remarkable University is the organization for which an IT Security Plan is being developed. The university has implemented a student grading system and the core components of the system include a front-end application that is used by three types of the users viz. students, academic staff, and administrative staff. The second component of the system is the database in which the grades of the students are stored. There are various threats that have been identified against the system and the occurrence of these threats will possess a great risk to the confidentiality, security, and privacy of the data sets.

IT Security Plan is important because it specifies the mitigation and control strategies that shall be followed to deal with the security risks mapped with every asset of the system. 

Scope

There are various assets that are associated with the student grading system being developed and implemented at the Remarkable University.

The assets involved with the system include:

• Information stored and handled by the system: It includes the student grades, student details and academic profile (Huang, Zhang, Cheng & Shieh, 2017).
• Hardware: The system will be accessed by the users on desktop and mobile devices. There are also servers involved in the system.
• Software: The web application that has been developed along with the database deployed for information storage for the student grading system.
• Networking Peripherals & Communication Architecture: There are networking equipment, protocols, and communication tools involved that need to be protected.

Organization Risk Profile

The risk profile for the university is low as is it less vulnerable to the risks due to the education domain. It includes the following set of risks and threats that may be carried out on the IT assets.

• User authentication and access control issues: Privacy concerns
• Server Security Risks: Malware attacks
• Software Security Risks: Hacking/data integrity issues, malware attacks
• Network Perimeter Security: Automatic scanning, phishing attempts, target exploit attempts
• End-user PC Security: Malware attacks

Risk Assessment

IT Asset 1: Information stored and handled by the system

There are various risks that are associated with the IT asset as the information. It is the primary asset that will be exposed to the security risks and attacks.

User authentication and access control

This is the security area that is exposed to various security risks and vulnerabilities that may have an adverse impact on the IT asset as the information stored in the student grading system.

The attackers may give shape to the account hacking attacks by breaking the authentication and access control measures and norms applied. This may lead to the exposure of the private and confidential information of the student.

Unauthorized access, data breaches, and leakage of the data sets may come up due to the poor access control measures applied.

Server Security Risks

The data servers will be exposed to malware risks and attacks. There may be physical security attacks that may also come up. The information stored in these servers will be exposed as an outcome.

Software Security Risks

The web application will be exposed to malware attacks, denial of service attacks, data breaches, and data integrity issues (O'Donnell, 2008). The information sets will be directly or indirectly impacted as an outcome.

Network Perimeter Security

The network architecture and protocols will be exposed to the network-based security threats and attacks. These may include phishing attacks, man in the middle attacks, denial of service attacks, malware attacks, and distributed denial of service attacks, message alteration attacks, and media alteration attacks. In all of these attacks, the privacy and confidentiality of the data and information sets will be hampered.

End-user PC Security

The devices which will be used for accessing the system may be exposed to attacks, such as device loss and malware attacks which will have a direct impact on the information sets stored within.

IT Asset 2: Hardware

Server Security Risks

There will be web servers and database servers used in the system and will be kept in the server room. These may be exposed to the physical security attacks if the attackers succeed in breaking through the physical security parameters applied.

End-User PC Security

The PC and the mobile devices that will be used to access the student grading system will also be exposed to the risks of being stolen. The loss or stealing of the device will have sever impacts on the information and the user.

IT Asset 3: Software

Software Security Risks

The software used in the system will be exposed to the risks, such as malware attacks, account hacking issues, target exploitation issues, data breaches, and data integrity issues.

IT Asset 4: Networking Peripherals & Communication Architecture

Network Perimeter Security

The network architecture and protocols will be exposed to the network-based security threats and attacks. These may include phishing attacks, man in the middle attacks, denial of service attacks, malware attacks, and distributed denial of service attacks, message alteration attacks, and media alteration attacks.

Risk Register

A risk register has been prepared for the risks that have been identified above. There is a likelihood and impact score assigned to every risk. The likelihood and impact has been provided and the risk rank has been calculated as per the levels below.

Threat/Vulnerability	Likelihood	Consequence	Level of Risk	Risk Priority
Account Hacking & target Exploitation	Possible	Major	Extreme (E)	8
Data Breaches	Likely	Catastrophic	Extreme (E)	2
Data Leakage	Possible	Catastrophic	Extreme (E)	6
Malware attacks	Almost certain	Major	Extreme (E)	1
Device loss	Rare	Catastrophic	High (H)	10
Denial of Service and Distributed Denial of Service	Likely	Catastrophic	Extreme (E)	3
Message and Media Alteration – Data Integrity Attacks	Possible	Major	Extreme (E)	7
Eavesdropping Attacks	Possible	Catastrophic	Extreme (E)	4
Man in the middle attacks	Possible	Catastrophic	Extreme (E)	5
Physical Security risks	Unlikely	Catastrophic	Extreme (E)	9

Security Strategies and Actions

It will be necessary to take certain security actions and adopt strategies to make sure that the risks do not occur and are mitigated and controlled.

Risk Name	Security Strategy and Actions
Account Hacking & target Exploitation	There shall be use of biometric recognition that shall be done for identity management and access control. Multi-path encryption must be used for access control. The authentication measures shall utilize multi-fold authentication wherein the log in to the accounts shall be made possible with the use of one time passwords and face recognition (Jung & Park, 2013).
Data Breaches	The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk.
Data Leakage	The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk.
Malware attacks	Anti-malware tools with ransomware protection must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out.
Device loss	The devices used by the end-users shall be installed with device tracker id so that the devices may be tracked in the case of loss or stealing.
Denial of Service and Distributed Denial of Service	Anti-denial tools must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out (Mahjabin, Xiao, Sun & Jiang, 2017).
Message and Media Alteration – Data Integrity Attacks	The data sets stored in the student grading system shall be encrypted so that the attackers do not succeed in capturing the same. There shall be technical security controls used and applied to protect from the security risk (Lin, Yu, Zhang, Yang & Ge, 2018).
Eavesdropping Attacks	The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed.
Man in the middle attacks	The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed (Wang, 2018).
Physical Security Risks	The server rooms must be secured by deploying a security guard at the entrance and the surveillance tools shall be used to keep a track of all the activities. Digital modes of authentication, such as biometric authentication and automated locks shall be used to protect the systems and servers.

Residual Risks

There are certain risks that may occur in spite of the measures and controls adapted. One such risk is the malware risks and attacks. It is because the attackers are coming up with new forms of malware codes and algorithms to launch the attack on the systems of the end-users. There shall be disaster recovery plan and data backups kept in place so that the impact of the risk may be reduced in the case of its occurrence.

The insider threats and attacks may also occur and may not be possible to be controlled. This is because the internal employees and the members of the staff may knowingly or unknowingly pass the information to the unauthorized entities.

The risks associated with the mobile devices, such as loss or stealing of the devices will also be left since the users may forget their devices at certain location. The devices may fall out of their pockets and such occurrences cannot be controlled.

Risk Name	Likelihood Level	Impact Level	Risk Score
Malware Attacks	2	4	8
Insider Threats	3	5	15
Device Loss or Stealing	2	5	10

Resources

Hardware Resources

Biometric devices and sensors for the implementation of biometric recognition systems, surveillance tools, such as microphones and video cameras for enhanced physical security, and digital locks and vaults for keeping the devices safe and protected at all times.

Software Resources

The network-based security controls and tools, such as firewalls, network-based intrusion detection and prevention systems, network scanners, and network monitors shall be installed. Anti-malware tools with ransomware protection must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out. Anti-denial tools must be installed in the system and shall be integrated so that the regular scanning of the entire system and networks is carried out.

Human Resources

• Chief Information Security Officer (CIO): The resource will be required to develop and implement the IT Security plan and the associated set of policies (Wsj, 2018).
• Security Auditor: It will be essential to carry out security audits and reviews at regular intervals to find out the gaps involved. The improvement measures will be taken on the basis of the results of the audits conducted.
• Security Analyst: The analysis of the network security logs and system logs will be done by the resource to determine the deviations and suspicious activities.
• Implementation Resource: The security strategies and actions will be implemented and monitored by the resource.

Maintenance & Training

The end-users shall be provided with the trainings on the security practices that they shall adopt to prevent and control the attacks from occurring. The users shall also be made aware of the common mistakes that they make which may allow the attackers to give shape to the security attacks. The security team must also be provided with the training on the security strategies that they shall adopt.

The maintenance work will include the installation of the updates and security patches at regular intervals. These will ensure that any of the security vulnerabilities and loopholes are resolved and avoided. The security software, such as anti-malware tools, anti-denial tools, and network-based security controls shall be updated as a part of the maintenance activities (Bays, Oliveira, Barcellos, Gaspary & Mauro Madeira, 2015).

References

Bays, L., Oliveira, R., Barcellos, M., Gaspary, L., & Mauro Madeira, E. (2015). Virtual network security: threats, countermeasures, and challenges. Journal Of Internet Services And Applications, 6(1). doi: 10.1186/s13174-014-0015-z

Huang, H., Zhang, Z., Cheng, H., & Shieh, S. (2017). Web Application Security: Threats, Countermeasures, and Pitfalls. Computer, 50(6), 81-85. doi: 10.1109/mc.2017.183

Jung, K., & Park, S. (2013). Context-Aware Role Based Access Control Using User Relationship. International Journal Of Computer Theory And Engineering, 533-537. doi: 10.7763/ijcte.2013.v5.744

Lin, J., Yu, W., Zhang, N., Yang, X., & Ge, L. (2018). Data Integrity Attacks against Dynamic Route Guidance in Transportation-based Cyber-Physical Systems: Modeling, Analysis, and Defense. IEEE Transactions On Vehicular Technology, 1-1. doi: 10.1109/tvt.2018.2845744

Mahjabin, T., Xiao, Y., Sun, G., & Jiang, W. (2017). A survey of distributed denial-of-service attack, prevention, and mitigation techniques. International Journal Of Distributed Sensor Networks, 13(12), 155014771774146. doi: 10.1177/1550147717741463

O'Donnell, A. (2008). When Malware Attacks (Anything but Windows). IEEE Security & Privacy Magazine, 6(3), 68-70. doi: 10.1109/msp.2008.78

Wang, Y. (2018). Analysis on the Causes of Network Language Violence and Its Countermeasures. Destech Transactions On Social Science, Education And Human Science, (adess). doi: 10.12783/dtssehs/adess2017/17825

Wsj. (2018). The Growing Role of the CIO. Retrieved from https://www.wsj.com/articles/the-growing-role-of-the-cio-1520992980