Information Technology Hilcorp Energy Company

Information Technology

Hilcorp Energy Company is a medium sized organization specializing in the exploration of oil and natural gas. The company headquarter is located in Houston in the United States. However, the company has other operating locations in Gulf Coast region, the Rockies and Gulf of Mexico. The company Vision is "to be premier private energy company in the United States" while the company vision is to "efficiently develop energy that would otherwise be lost while providing an enjoyable and challenging work environment where long-term personal wealth can be created for all." (Hilcorp Energy, 2011 P1). Established in 1989, the company employs latest technology to extract oil and gas at Wyoming's Powder River Basin and Gulf of Mexico.

The objective of this report is to provide practical security assessment on the IT infrastructures and practices of Hilcorp Energy Company.

To enhance the ethical consideration, the researcher seeks for the permission from the management of the Hilcorp Energy Company before conducting the analysis on the IT infrastructure and practice of the company.

Ethical Consideration

To enhance the ethical consideration, the researcher seeks permission from the management of the Hilcorp Energy to evaluate the current IT infrastructure and practices of the company. To seek the permission from the management, the researcher wrote a formal letter to the Information Technology Director, Jim Noot, explaining the major objective for conducting research on their organization, and the benefits their organization will derive from the findings of the analysis. Having wait for almost a week for the response and received no reply, the researcher telephoned the IT director asking for the status of his letter. During the 30 minutes telephone conversation, and the researcher assures the director that the researcher only wants to perform external security consulting on the company IT infrastructure and practice and the findings of the assessment will be kept confidential. Having convinced the director the motive behind the assessment, the director finally accepts the researcher request to assess the IT infrastructures and practices of Hilcorp Energy Company.

Method of Data Collection

The researcher employs qualitative approach to collect data. The major objective for using qualitative approach for data collection is to go in-dept into the phenomenon. As being argued by Trochim and Donnelly (2007), qualitative method of data collection is advantageous because the researcher will be able to go in-dept into the phenomenon. A major instrument that qualitative approach uses for data collection is in-dept interview. A shortcoming of qualitative approach for data collection is that it is time consuming. The researcher selects in-dept interview for data collection, and with the permission of the IT director, the researcher is allowed to conduct 30-minute interview with the IT manager. From the interview discussion, the researcher is able to conduct security risk assessment on the IT infrastructures and practices of the company.

Security Risks Assessment

Security risk assessment is important to enhance the greater understanding on the potential danger the company is facing if the company IT infrastructures have been compromised. To conduct the security assessment, it is important to identify IT assets, and its important to the organization.

IT Context and Assets

IT assets include all elements of company software and hardware. IT security is concerned with the protection of the organization IT assets from internal and external threats. Typically, the threats are the potential abuse on the company IT assets. Apart from categorizing the physical hardware and software as assets, the IT assets also include all the information stored in the data warehouse, which could enhance organizational decision-making. Typically, the company uses the hardware infrastructures to enhance organizational networking and communication for the organizational efficiency. The company hardware, software and the company data warehouse are the key company IT assets. These IT assets are categorized as high risks for the company because a damage to the company IT assets could make business process of an organizational to go standstill.

Teymouri & Ashoori (2011) argue that IT infrastructures are considered as the strategic assets of most organizations, and they are important factors that lead to the business success. Organizational IT assets may worth several thousands of dollars or several millions of dollars, and if adequate measures are not implemented to protect the company IT assets, an organization may face danger of losing huge amount. Typically, by losing the company IT assets, a company public image may be at significant risks which may make an organization to lose some of its major customers. Moreover, if a company IT assets are compromised, the confidence the stakeholders have on the organization will diminish. Thus, an organization needs to employ maximum-security measures to protect the company assets. (Teymouri, & Ashoori 2011).

Identification of IT Threats

Identification of risks that could harm the company IT assets is very critical. The threat identification will enhance greater understanding of the organization on the impact of the threat, and the adequate measure needed to prevent the threat on the organizational IT infrastructures. Some of the risks that could damage the company IT assets are as follows:

Intruders: The sophisticated hackers are termed as intruders who could enter the company database and steal vital information that worth thousands or millions of dollars from the company database. Depending on the type of information, the hackers may use this information for monetary purpose. For example, the hackers may turn this type of information onto the hand of the competitors.

Natural Disaster: Disaster such as fire, flood, earthquake, and tornado are another sort of risks on organization IT assets. These type of risks may damage organizational assets that worth thousands or millions dollars within few hours.

Disgruntled Employees: This is another type of internal risk and if not properly managed, it may cause an organization an un-estimated amount of money. A disgruntled employ may turn company vital information on the hand of the competitors or may deliberately damage the company IT assets. (United States General Accounting Office 1999).

Analysis of these risks is very critical to enhance greater understanding the method to manage them.

Risk Analysis

Risk analysis is to assess the gravity of all the identified risks and assess whether it is essential to take measures to mitigate these risks. Based on the analysis of the identified risks, natural disaster has been placed at high priority because these are the risks that could occur at any time. The wildfire disaster in California in 2008 caused damages worth billions of dollars to organizations. The earthquake occurrence in Japan in 2010 damaged organizational assets worth billions of dollars. Thus, the report places these risks as high priority, and there is a need to take urgent measure to mitigate these risks.

In addition, the risks perpetuated by the intruders are other risks that company needs to implement adequate measure. This risk is not as critical as the first risks. It is well-known that intruders attack financial institutions.

The risk categorized as disgruntled employees is the last that the company needs to address. This type of risk is not as important as other identified risks. The report provides the details of these risks in the risk register at appendix 1.

Assess & Prioritize Risks

Based on the analysis of these risks, the risks are prioritized as follows;

Natural disaster is placed at highest priority since this risk could happen at any time and its impact could cause a huge loss to an organization. The threat of these risks is so high that it could halt the business process of an organization.

Risks from intruders are placed at second priority. The intruders could use sophisticated tools such as Trojan horse, worms, eavesdropping etc. To damage the company IT assets or steal sensitive information worth large amount of money. The interesting thing about these risks is that the intruders are developing more sophisticated tools to get assess into the organizational computer system or damage IT assets.

The treatment of these risks is as follows:

Natural Disaster: A major suggestion to treat the risks associated with natural disaster is to make the backup of all the company data. Data backup is to make duplicate of all the company data. The company data is very critical to business process and should be treated as essential corporate assets. Data are not restricted to the information on paper alone but should include all information in the application software, which include research records, employee data, contract records, price lists etc.

The company will be able to turn to the data backup in case the original data are lost with the occurrence of natural disaster. Moreover, the data backup should be updated frequently to ensure that all data are up-to-date. To ensure that the data backup is free from the same threat of natural disaster, all data backup should be stored in a remote location very far away from the original data

In addition, the organization should have IT security and disaster recovery team who would establish detail security procedures for the company. The IT security and disaster recovery activities should include:

Media storage.

E-mail security.

User access control.

Remote access controls.

Network security management.

Password policies.

Compliance with the policies and procedures of the company is very vital to the organization, and the policies and procedures should be clearly communicated to the appropriate business teams.

Intruder: The suggested treatment for the attack by the external intruder such as hacker is to ensure that all communication within the organization is encrypted to deter the unauthorized access to the company data. Moreover, the organization should use antivirus to protect the company data from the attack such as Trojan horse, worm, virus etc. Compliance to policies and procedure is so vital to assure an organizational IT security.

Disgruntled Employee: Company needs to evaluate each personnel before being allowed to handle sensitive information. There is a need to conduct background check on each employee. The background check could verify potential employee criminal background, and social background. Employee should be asked to sign a confidential agreement, which states the penalties for the breach of contract.

Development a Risk Treatment Plan

To obtain required return on investment (ROI), the risks need to be managed effectively. The additional type of risks that organization needs to be addressed is as follows:

Network Security: Organization network is very vital for effective business communication. An unauthorized individual could intercept data transmitted through computer network. Thus, there is a need to develop appropriate security plan to enhance network security. The following procedures should be followed to enhance network security:

Proper documentation of the design and implementation of the network.

Firewall configuration to deter unauthorized access to the network.

Installation of antivirus software on all systems and servers.

Prevention of authorized access to the company data and network.

Always update the virus signature.

Encryption and secure connection.

Software security and security for the operating system

Use of access control and authentication

Use of Intrusion Detection System (IDS).

Use of Intrusion Prevention System (IPS).

Network routing control.

Network connection control.

Password management such as regular change of password.

Use of authentication, automatic terminal identification

Terminal logon procedure.

Physical Security: Physical security refers to the procedures of securing the company physical assets such as building, working areas, documents, systems and devices. All these items need be secured properly. Damage to any of these items could lead to damage of IT assets. The procedures to provide key security measures for company facilities are as follow:

Provision of 24-hour security with the trained security guard.

Use of physical entry control such as:

- Identification mechanisms such swipe card and identification card.

- Access authorization.

- Access restriction to be implemented on a daily basis.

- An entry and exit tracking system.

- Restricted access to data centre and server rooms

- Close 24-hour monitoring by a circuit television at critical locations such as network room, and data center.

- Restricted movement of media such as flash drives, compact disks etc.

-Paper control through authorization and physical inspection at gate passes.

-Use of fire detector system and fire suppression system

-Storing backup media that contain critical information at remote offline location.

Based on the identification of the risks on the IT assets and the methods for the treatment of these risks, the report discusses whether the Hilcorp Energy Company is actually having the appropriate policies and procedures for the treatment of these risks.

Results of the Risks Analysis

Based on the risk assessment conducted on Hilcorp Energy Company, the report uses the following criteria to assess the organizational IT security.

User Authentication and Access Controls

User authentication is the process of identifying a user's identity before being allowed to gain access to the computer system. Analysis of the method that Hilcorp Energy Company employs for the authentication practice is the use of the password-based authentication where a user is asked to input his or her password during login to gain access to the computer network. The process is that a user is asked to enter his or her password each time they want to get access to the network system. While this process is effective within the organization because the process only allows the authorized users to gain access to the computer network, however password-based network is not effective in the computer network. A sophisticated hacker could intercept the password remotely. There are situation where hackers uses the Trojan horse or worm to infect the user computer in order to steal a user password. In addition, password sent across the network could be eavesdropped and be used by an eavesdropper to impersonate the user. Moreover, password-based authentication is inconvenient because the users are asked to enter their passwords each time they want to get access.

The company access control policy is effective because it defines the operations or the action that a legitimate user could execute. The company uses access control system to prevent users to implement the activities that could lead to a breach of security. The company policy and procedures on access controls is that the company uses a reference monitor to mediate user's attempt into the system. Each time a legitimate user attempts to get access to the system, the reference monitor consults the authorization database to determine whether a user could be authorized to perform the operation.

PC / Workstation Security

The workstation is an "electronic computing device, including laptop, tablet PC, desktop computer, PDA, or any other device that performs similar functions, as well as the electronic media stored in its immediate environment such as local hard drives, CDROMs, floppy drives, zip-drives that are directly connected to the device"(University of California, 2007 P1).

Security of the PC/workstation is very important to address the risks that might have occurred at the workstation. Risk assessment of Hilcorp Energy Company reveals that the company employs different procedures to enhance the security of PC/workstation. The company allows workers to use personal computers (PC). At the site, workers could move from one place to the other, thus, the use of PC is allowed. Typically, the PC of each worker contains vital organizational information, and if such PC gets onto the hand of an authorized user, the company information might be at risks. Thus, the company implements some security measures to enhance security of the PC/Workstation.

First, there are trained security guards at the company location to ensure that an unauthorized person is not allowed at the company location. In addition, the company uses 24-hour monitoring circuit television to monitor the activities going on at the location.

Moreover, the company implement physical inspection at the gate pass. Since the users could make use of PC to work, the company employs access control to control the nature of work a user could perform while using a PC.

Moreover, the company implements a virus detection system by using virus detection software. In addition, the company stores all the backup offline at a remote location. Part of the company security policy is that the company also prohibits the installation or download of personal software in the company PC.

The company also install antivirus software on all the company PC. The authentication of a user is required before a user is allowed into the system. The company also uses encryption procedure to protect company data from the authorized access. While the company employs all these security measures for the company PC/Workstation, there are still some shortcomings identified with the company security measures.

While the company employs encryption to protect the company data from an authorized user, the company does not implement "cryptography for PC/workstation security." (Harn, Lin, & Xu 1994). Although, encryption is very effective for the security of PC/workstation, however, encryption could only remain effective if the private key used for decryption is not compromised. In the case of the Hilcorp Energy, many people use the same private key for decryption. With this system, the private key could be easily compromised. The use of cryptographic methods could employ to address the shortcoming identified in the encryption method. (SecureRF, 2010).