Compliance with the policies and procedures of the company is very vital to the organization, and the policies and procedures should be clearly communicated to the appropriate business teams.
Intruder: The suggested treatment for the attack by the external intruder such as hacker is to ensure that all communication within the organization is encrypted to deter the unauthorized access to the company data. Moreover, the organization should use antivirus to protect the company data from the attack such as Trojan horse, worm, virus etc. Compliance to policies and procedure is so vital to assure an organizational IT security.
Disgruntled Employee: Company needs to evaluate each personnel before being allowed to handle sensitive information. There is a need to conduct background check on each employee. The background check could verify potential employee criminal background, and social background. Employee should be asked to sign a confidential agreement, which states the penalties for the breach of contract.
Development a Risk Treatment Plan
To obtain required return on investment (ROI), the risks need to be managed effectively. The additional type of risks that organization needs to be addressed is as follows:
Network Security: Organization network is very vital for effective business communication. An unauthorized individual could intercept data transmitted through computer network. Thus, there is a need to develop appropriate security plan to enhance network security. The following procedures should be followed to enhance network security:
Proper documentation of the design and implementation of the network.
Firewall configuration to deter unauthorized access to the network.
Installation of antivirus software on all systems and servers.
Prevention of authorized access to the company data and network.
Always update the virus signature.
Encryption and secure connection.
Software security and security for the operating system
Use of access control and authentication
Use of Intrusion Detection System (IDS).
Use of Intrusion Prevention System (IPS).
Network routing control.
Network connection control.
Password management such as regular change of password.
Use of authentication, automatic terminal identification
Terminal logon procedure.
Physical Security: Physical security refers to the procedures of securing the company physical assets such as building, working areas, documents, systems and devices. All these items need be secured properly. Damage to any of these items could lead to damage of IT assets. The procedures to provide key security measures for company facilities are as follow:
Provision of 24-hour security with the trained security guard.
Use of physical entry control such as:
- Identification mechanisms such swipe card and identification card.
- Access authorization.
- Access restriction to be implemented on a daily basis.
- An entry and exit tracking system.
- Restricted access to data centre and server rooms
- Close 24-hour monitoring by a circuit television at critical locations such as network room, and data center.
- Restricted movement of media such as flash drives, compact disks etc.
-Paper control through authorization and physical inspection at gate passes.
-Use of fire detector system and fire suppression system
-Storing backup media that contain critical information at remote offline location.
Based on the identification of the risks on the IT assets and the methods for the treatment of these risks, the report discusses whether the Hilcorp Energy Company is actually having the appropriate policies and procedures for the treatment of these risks.
Results of the Risks Analysis
Based on the risk assessment conducted on Hilcorp Energy Company, the report uses the following criteria to assess the organizational IT security.
User Authentication and Access Controls
User authentication is the process of identifying a user's identity before being allowed to gain access to the computer system. Analysis of the method that Hilcorp Energy Company employs for the authentication practice is the use of the password-based authentication where a user is asked to input his or her password during login to gain access to the computer network. The process is that a user is asked to enter his or her password each time they want to get access to the network system. While this process is effective within the organization because the process only allows the authorized users to gain access to the computer network, however password-based network is not effective in the computer network. A sophisticated hacker could intercept the password remotely. There are situation where hackers uses the Trojan horse or worm to infect the user computer in order to steal a user password. In addition, password sent across the network could be eavesdropped and be used by an eavesdropper to impersonate the user. Moreover, password-based authentication is inconvenient because the users are asked to enter their passwords each time they want to get access.
The company access control policy is effective because it defines the operations or the action that a legitimate user could execute. The company uses access control system to prevent users to implement the activities that could lead to a breach of security. The company policy and procedures on access controls is that the company uses a reference monitor to mediate user's attempt into the system. Each time a legitimate user attempts to get access to the system, the reference monitor consults the authorization database to determine whether a user could be authorized to perform the operation.
PC / Workstation Security
The workstation is an "electronic computing device, including laptop, tablet PC, desktop computer, PDA, or any other device that performs similar functions, as well as the electronic media stored in its immediate environment such as local hard drives, CDROMs, floppy drives, zip-drives that are directly connected to the device"(University of California, 2007 P1).
Security of the PC/workstation is very important to address the risks that might have occurred at the workstation. Risk assessment of Hilcorp Energy Company reveals that the company employs different procedures to enhance the security of PC/workstation. The company allows workers to use personal computers (PC). At the site, workers could move from one place to the other, thus, the use of PC is allowed. Typically, the PC of each worker contains vital organizational information, and if such PC gets onto the hand of an authorized user, the company information might be at risks. Thus, the company implements some security measures to enhance security of the PC/Workstation.
First, there are trained security guards at the company location to ensure that an unauthorized person is not allowed at the company location. In addition, the company uses 24-hour monitoring circuit television to monitor the activities going on at the location.
Moreover, the company implement physical inspection at the gate pass. Since the users could make use of PC to work, the company employs access control to control the nature of work a user could perform while using a PC.
Moreover, the company implements a virus detection system by using virus detection software. In addition, the company stores all the backup offline at a remote location. Part of the company security policy is that the company also prohibits the installation or download of personal software in the company PC.
The company also install antivirus software on all the company PC. The authentication of a user is required before a user is allowed into the system. The company also uses encryption procedure to protect company data from the authorized access. While the company employs all these security measures for the company PC/Workstation, there are still some shortcomings identified with the company security measures.
While the company employs encryption to protect the company data from an authorized user, the company does not implement "cryptography for PC/workstation security." (Harn, Lin, & Xu 1994). Although, encryption is very effective for the security of PC/workstation, however, encryption could only remain effective if the private key used for decryption is not compromised. In the case of the Hilcorp Energy, many people use the same private key for decryption. With this system, the private key could be easily compromised. The use of cryptographic methods could employ to address the shortcoming identified in the encryption method. (SecureRF, 2010).
Network Perimeter Security
The company uses Wide Area Network (WAN) to connect the headquarter with the other stations. Analysis of the security of the network perimeter reveals that the company implements firewall and intrusion detection system (IDS) as the security procedures for the network system. Typically, firewall is effective because it blocks unauthorized traffic. In addition, the firewall enables the fast packet inspection and is able to filter authorized traffic. The only shortcoming for using firewall as only security procedure is that firewall cannot detect high level-level attacks. In addition, the firewall cannot block the malicious traffic that passes through the open ports or traffic that appears legitimate. Moreover, firewall could not block the traffic that passes through encrypted tunnel.
The company also uses the intrusion detection system (IDS) as another method to enhance network security. While IDS is effective to detect unauthorized access to the network, however, the IDS cannot prevent the unauthorized access to the network.
Based on the shortcoming identified on the security devises of the company, the report suggests the effective security procedures…