Case 1 : Control Analysis Assignment


         The first case of  the course "Designing and Executing Information Security Strategies" deals with control analysis and recommendations. The scenario and questions posed are given below. I will post my response in the next post. 
Day 0, life is normal
Q 1 : Explain and support information assurance controls for access to sensitive client banking information by HMC employees?
Q2. Explain and support information assurance controls for how access control is handled administratively?

Yesterday’s Status
·         Financial Services ASP, provides credit clearance software services for 20 large banks worldwide
·         We provide the platform and the software, their (the banks) people operate the system
·         Our DBAs have access to the banks databases for support reasons
·         Network security, database security, application security are all ours
·         All of our customers audit us, using whatever standard they see fit ISO 27002, BS 7799, SS 627799, etc

What’s important to our customers
·         Information in the database includes
·         Names
·         Date of birth
·         Financial details (income, savings, net worth)
·         Credit Card info
·         SSN
·         They want to know that every person with access to the data meets certain criteria
o    Background checked
o    Qualified for the work
o    Authorized specifically for access to their data

Important, Part 2
·         They want to know that there is distinct separation of duties for adding authenticated access to the database
·         They want to know exactly how network (not authenticated) access to web servers, application servers and database servers is protected
·         They want to know who has access to what, and they want to audit these accesses.
 Today (as of 2:00 p.m.) life is getting interesting
·         One of our financial subsidiaries has purchased a company from the country of Georgia, who’s primary business is outsourced programming.
·         While the subsidiary still has local operational control of daily tasks, final decisions are now made by the management team in Tbilisi.
·         For economic reasons, we will be combining management networks and IT support.
 Today as of 4:30 p.m.
·         CEO of the financial subsidiary decides that Tbilisi DBAs are Waaaay less expensive, so we’re going to use them when we can
·         In fact, the Tbilisi data center looks like a great Disaster Recovery site for the US operation.
 Homework 1: Basic Risk Analysis and controls recommendations for a new business environment.
·         Given the case details presented here, prepare and post for peer review information assurance controls for:
o    Access to sensitive client banking information by HMC employees (300 - 500 words)
o    How access control is handled administratively (300 - 500 words)
Suggestions for the Assignment
·         You’re the CISO, so you’re expected to lead, but the CEO is still your boss. Refer to the “What’s important to our customers” slide for inspiration.
·         When in doubt about a detail of how your company operates, make it up – BUT DOCUMENT YOUR ASSUMPTION.
·         Don’t get hung up overly complicated control descriptions. Say as much as you need to convey what is required.
·         Unlike some other classes you have taken, there are no right answers… GOOD answers are well justified and considered while BAD answers are not justified or do not apply to the case.



Comments

  1. UnknownMarch 9, 2014 at 1:10 PM

    This comment has been removed by the author.

    ReplyDelete
  2. UnknownMarch 9, 2014 at 1:11 PM

    very easy and very easy to understand...

    are you going to insert the case number 2 ???

    thanks a lot

    ReplyDelete
  3. UnknownOctober 25, 2020 at 12:30 PM

    Hi can you help me with the answer for this?

    ReplyDelete

Post a Comment

Popular posts from this blog

API Security - A risk based approach for CISOs

       APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis. While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications.  To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include: Data Breaches or Data Leakages -  Risk of data le...
Read more

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more