This essay is written from the perspective of an Information Systems Officer (ISO) of a small pharmacy. The essay contains an IT security plan that is built upon the foundation present at the store. Security issues are discussed as preventative means are presented to make both the logical and physical security of this organization better.
IT Plan
As the world continues to evolve with technology and technological advances, certain problems arise that requires precise and involved management of these advances. The purpose of this essay is to examine the importance of information security systems and how they demonstrate their importance in the commercial world. To do this, this essay will be presented from the viewpoint of an Information Security Officer (ISO) who has been tasked to identify the inherent risks associated with a business operation and to establish physical and logical access control methods that will help minimize those risks. A scenario has been created to help explain this process where a pharmacy and its accompanying information systems scheme are presented to give an example of how this may be done.
In order to accomplish this task, this report will first identify the physical vulnerabilities that are given in the directed scenario before identifying the logical vulnerabilities and threats that require an ISO's consideration. Next, the potential impacts of all of these threats will be presented in order to formulate a solid solution to the problem. The logical threats and vulnerabilities will also be discussed in terms of their full impact on the situation. This report will then move into a mindset that attempts to thwart and lessen these threats as controls are introduced to help mitigate each risk presented.
Background Scenario
This particular scenario revolves around a pharmacy store and their associated information and computing systems that are being utilized by the leadership at this store. As the ISO for this organization, it is my responsibility to ensure that these systems are safe, secure and, most importantly, fall within the larger strategic concept of the firm. The pharmacy itself contains several important details that will help shape and define the controls that will eventually be implemented.
The pharmacy is a standard square store with some unique features. The front entrance of the store, leading from a larger mall, is where most of the interaction with customers begins. There are three windows in this store that have personal computers to assist the customers and their purchases. The back room has a unused caged area, drug inventory and an office with the information systems components. In this architecture, these components consist of a firewall system, a server domain controller, a file server and another computer. The system runs on a TI line to communicate between machines and elsewhere. There is also a rear entrance to this shop that is used for employees only.
Ultimately, the ISO is responsible for ensuring that this system operates fluidly and efficiently. This requires having knowledge and understanding of the users of the system, the hardware, software, operating system and network administration. Only when all of these prerogatives are matched with an accompanying plan, will this pharmacy be safe to operate within. .
Potential Physical Vulnerabilities
The physical layout of the store provides the best information on how to identify physical threats to the pharmacy store. The most obvious of these factors can be understood by the location of the most important items of the system. In this particular instance, there are some glaring problems with the physical security of this pharmacy.
The main components of the network, the firewall, server and controllers are all located within an unsecured office location. Any individual wishing to invade the physical space of this system would be relieved to know that there is very limited physical security associated with the network itself. The back door's location also denotes this risk as well.
The physical constructs of this system is not taking into consideration one of the biggest threats to security, the employees themselves. Prince (2009) explained that "Employees with malicious intent have always been the biggest threat to an organization. " Hiring practices are never perfect and the human condition will always surprise, so it is important to defend against this threat even if it is not obvious.
Any employee to the pharmacy has direct access to all of the drug inventory, but more importantly the computer systems as well. . Theft of equipment or vital data can have a large and significant effect on any organization. Theft of important equipment within the firm, such as cables, routers or even computers can have a big affect. For example, if someone were to take a vital piece of equipment, it could cause the whole system within the organization to completely shut down, or could even open up holes for security breaches to occur. Employees are most familiar with their employer's computers and applications, including knowing what actions might cause the most damage, mischief, or sabotage. The downsizing of organizations in both the public and private sectors has created a group of individuals with organizational knowledge,
Potential Logical Vulnerabilities
Logical vulnerabilities are much more prevalent in this case than the physical weaknesses. Most of the important information and data is stored on these computer systems and the risks appear to be great. The information contained is both confidential and valuable, making the security of this information an incredibly important task.
The first item to tackle in this case is viruses. Vernon (2012) explained "In terms of sheer frequency, the top spot on the list of security threats must go to viruses. According to a DTI survey, 72% of all companies received infected e-mails or files last year and for larger companies this rose to 83%." Computer viruses come in many different forms, much like real viruses and further dissection of this threat is necessary in order to truly understand it. There are many threats that could cause a great amount of damage to an IT system; these threats include aspects such as: Worms, Malware, Viruses, Trojan Horse and many more.
Worms are malicious programs that make copies of themselves over and over, on the local drive, network, email, or Internet. A Trojan horse may actually appear to be a useful application, which is why so many unsuspecting people download them. A Trojan horse might be disguised as a program intended to rid a computer of viruses, yet actually be used to infect the system instead. Spyware is a program that secretly records our actions on a computer. They can be used for legitimate purposes, however the majority of spyware is malicious and dangerous. Its aim is to capture passwords, banking credentials and credit card details.
Potential Impact of Vulnerabilities and Threats
Once again, the internal threat is most significant when dealing with the potential impacts of the physical vulnerabilities of this system. The user is the most important aspect of this system because they will have the most exposure to the system Every day the employees who are responsible for handling customers requests and navigating the computer system put themselves front and center into the eye of this dangerous storm. Problems with the system must be kept at a minimum, otherwise as the ISO, the employees will be forever asking questions demonstrating the ineffectiveness of the plan.
The end-users will always be in close proximity to the hardware, and will consistently be using the software to help customers. Most of these people will not have much technological knowledge, outside of the training they would receive from me the ISO. People are more important than the technology and this must always be kept in mind as things may continue to evolve and change. People themselves will make or break this system, and the technology is useless until a proper purpose can be applied to it in order to make things work.
Potential Impact of Threats in The Network
What is exactly at risk for the pharmacy? The potential that the cumulative risks presents is very large and overwhelming. The entire organization is at risk once it places so much emphasis on the information systems it uses to command and control the organization. Recognizing these threats can be accomplished by applying some common sense and a vigilant attitude towards keeping things clean and safe.
As the ISO it is important to realize what exactly needs to be protected and why. In addition to understanding these priorities, education of others is also important as well to limit these type of threats. Backup systems and storage options are also at risk as well. It is very important to work closely with the leadership of the organization to determine what exactly is the most important information and determine the overall strategic outlay for the entire organization.
The National Institute of Standards and Technology presented the most comprehensive take on the threats posed to information systems. In their handbook on computer security it stated "computer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers. Losses can stem, for example, from the actions of supposedly trusted employees defrauding a system, from outside hackers, or from careless data entry clerks."
Some of the threats are more obvious than others. It is apparent that the customer account information is most important. If this data is hacked, valuable and sensitive information about medical histories and finances can be readily accessible making the customer extremely exposed to wrong doings. A security breach of this type may cause the company to go under, as trust is the most important thing to consider when dealing with such personal and valuable information.
Understanding the importance of the sensitive information contained within the system leads me to the next priority; ensuring that the employees are practicing safe and effective information security steps. The most rigid security system is no good if the users keep passwords on notes attached to their computers. Good computer discipline remains extremely important in avoiding threats and must be kept in mind all the time.
Control Measures for Physical Threats
Each control measure should be comprehensive in nature and should address more than one concern if possible. Control measures may come in many forms such as administrative, preventative, detective and corrective. Sometimes controls span over several of these qualities and usually present better options due to the flexibility and effectiveness of that control measure's ability to help fix problems.
Moving and securing all of the hardware components of this system is the best first step to take in this case. This action is both administrative and preventative in nature. Strict access to the file server and the other components located currently in the office need to be moved to a caged area. Access to this area should be restricted to as few as people as possible. Video camera and log books need to be implemented to track this access to these key components.
Another control that may help lessen the physical threats to the situation rests in a solid education plan. Creating a class that helps train employees on the software aspects of the system will be helpful in its own right, but also learning about the employee themselves through conversation will help the leadership branch of this organization get to know how well each employee is with working with this technology. Knowing the employees better will help highlight suspects in case a breach does occur.
You’re 83% through this paper. Sign up to read the full paper.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.