As the world continues to evolve with technology and technological advances, certain problems arise that requires precise and involved management of these advances. The purpose of this essay is to examine the importance of information security systems and how they demonstrate their importance in the commercial world. To do this, this essay will be presented from the viewpoint of an Information Security Officer (ISO) who has been tasked to identify the inherent risks associated with a business operation and to establish physical and logical access control methods that will help minimize those risks. A scenario has been created to help explain this process where a pharmacy and its accompanying information systems scheme are presented to give an example of how this may be done.
In order to accomplish this task, this report will first identify the physical vulnerabilities that are given in the directed scenario before identifying the logical vulnerabilities and threats that require an ISO's consideration. Next, the potential impacts of all of these threats will be presented in order to formulate a solid solution to the problem. The logical threats and vulnerabilities will also be discussed in terms of their full impact on the situation. This report will then move into a mindset that attempts to thwart and lessen these threats as controls are introduced to help mitigate each risk presented.
This particular scenario revolves around a pharmacy store and their associated information and computing systems that are being utilized by the leadership at this store. As the ISO for this organization, it is my responsibility to ensure that these systems are safe, secure and, most importantly, fall within the larger strategic concept of the firm. The pharmacy itself contains several important details that will help shape and define the controls that will eventually be implemented.
The pharmacy is a standard square store with some unique features. The front entrance of the store, leading from a larger mall, is where most of the interaction with customers begins. There are three windows in this store that have personal computers to assist the customers and their purchases. The back room has a unused caged area, drug inventory and an office with the information systems components. In this architecture, these components consist of a firewall system, a server domain controller, a file server and another computer. The system runs on a TI line to communicate between machines and elsewhere. There is also a rear entrance to this shop that is used for employees only.
Ultimately, the ISO is responsible for ensuring that this system operates fluidly and efficiently. This requires having knowledge and understanding of the users of the system, the hardware, software, operating system and network administration. Only when all of these prerogatives are matched with an accompanying plan, will this pharmacy be safe to operate within. .
Potential Physical Vulnerabilities
The physical layout of the store provides the best information on how to identify physical threats to the pharmacy store. The most obvious of these factors can be understood by the location of the most important items of the system. In this particular instance, there are some glaring problems with the physical security of this pharmacy.
The main components of the network, the firewall, server and controllers are all located within an unsecured office location. Any individual wishing to invade the physical space of this system would be relieved to know that there is very limited physical security associated with the network itself. The back door's location also denotes this risk as well.
The physical constructs of this system is not taking into consideration one of the biggest threats to security, the employees themselves. Prince (2009) explained that "Employees with malicious intent have always been the biggest threat to an organization. " Hiring practices are never perfect and the human condition will always surprise, so it is important to defend against this threat even if it is not obvious.
Any employee to the pharmacy has direct access to all of the drug inventory, but more importantly the computer systems as well. . Theft of equipment or vital data can have a large and significant effect on any organization. Theft of important equipment within the firm, such as cables, routers or even computers can have a big affect. For example, if someone were to take a vital piece of equipment, it could cause the whole system within the organization to completely shut down, or could even open up holes for security breaches to occur. Employees are most familiar with their employer's computers and applications, including knowing what actions might cause the most damage, mischief, or sabotage. The downsizing of organizations in both the public and private sectors has created a group of individuals with organizational knowledge,
Potential Logical Vulnerabilities
Logical vulnerabilities are much more prevalent in this case than the physical weaknesses. Most of the important information and data is stored on these computer systems and the risks appear to be great. The information contained is both confidential and valuable, making the security of this information an incredibly important task.
The first item to tackle in this case is viruses. Vernon (2012) explained "In terms of sheer frequency, the top spot on the list of security threats must go to viruses. According to a DTI survey, 72% of all companies received infected e-mails or files last year and for larger companies this rose to 83%." Computer viruses come in many different forms, much like real viruses and further dissection of this threat is necessary in order to truly understand it. There are many threats that could cause a great amount of damage to an IT system; these threats include aspects such as: Worms, Malware, Viruses, Trojan Horse and many more.
Worms are malicious programs that make copies of themselves over and over, on the local drive, network, email, or Internet. A Trojan horse may actually appear to be a useful application, which is why so many unsuspecting people download them. A Trojan horse might be disguised as a program intended to rid a computer of viruses, yet actually be used to infect the system instead. Spyware is a program that secretly records our actions on a computer. They can be used for legitimate purposes, however the majority of spyware is malicious and dangerous. Its aim is to capture passwords, banking credentials and credit card details.
Potential Impact of Vulnerabilities and Threats
Once again, the internal threat is most significant when dealing with the potential impacts of the physical vulnerabilities of this system. The user is the most important aspect of this system because they will have the most exposure to the system Every day the employees who are responsible for handling customers requests and navigating the computer system put themselves front and center into the eye of this dangerous storm. Problems with the system must be kept at a minimum, otherwise as the ISO, the employees will be forever asking questions demonstrating the ineffectiveness of the plan.
The end-users will always be in close proximity to the hardware, and will consistently be using the software to help customers. Most of these people will not have much technological knowledge, outside of the training they would receive from me the ISO. People are more important than the technology and this must always be kept in mind as things may continue to evolve and change. People themselves will make or break this system, and the technology is useless until a proper purpose can be applied to it in order to make things work.
Potential Impact of Threats in The Network
What is exactly at risk for the pharmacy? The potential that the cumulative risks presents is very large and overwhelming. The entire organization is at risk once it places so much emphasis on the information systems it uses to command and control the organization. Recognizing these threats can be accomplished by applying some common sense and a vigilant attitude towards keeping things clean and safe.
As the ISO it is important to realize what exactly needs to be protected and why. In addition to understanding these priorities, education of others is also important as well to limit these type of threats. Backup systems and storage options are also at risk as well. It is very important to work closely with the leadership of the organization to determine what exactly is the most important information and determine the overall strategic outlay for the entire organization.
The National Institute of Standards and Technology presented the most comprehensive take on the threats posed to information systems. In their handbook on computer security it stated "computer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers. Losses can stem, for example, from the actions of supposedly trusted employees defrauding a system, from outside hackers, or from careless data entry clerks."
Some of the threats are more obvious than others. It is…