Viewing Security Management as a Business Practice, Part 2: Lessons Learned in a Small Nonprofit Organization
Technological Issues and Risk Analysis
Phase 2 of OCTAVE focuses on evaluating an organization's computing infrastructure for technological weaknesses. However, no one at the professional society had the experience and expertise to conduct such an evaluation, and no funds were available to outsource this activity. The team set the scope of Phase 2 based on team members' knowledge and skills, and conducted a limited evaluation of the computing infrastructure.
Phase 2 activities were limited to examining how critical information and systems were accessed via the network. This approach worked because the team made the following key assumption:
We assume that technological weaknesses are present in the computing infrastructure.
By making this assumption, the team acknowledged that vulnerabilities were most likely present in the organization's computing infrastructure. However, by not performing a vulnerability evaluation, the team wouldn't know precisely which vulnerabilities were present in which components. They then recorded the following recommendation to carry forward into the Phase 3 analysis:
Implementing an approach for conducting periodic vulnerability evaluations of the computing infrastructure should be considered for inclusion in our protection strategy (i.e., a vulnerability management practice).
Thus, the team was acknowledging a gap in the organization's skill set. Team members wanted to ensure that this gap would be examined in relation to the organization's risks during the risk analysis.
Phase 3 of OCTAVE focuses on risk identification and analysis activities. After looking at the information gathered throughout the evaluation, the team identified a broad range of risks to each critical asset. The following list details the top four risks for CRMS:
People external to the organization (attackers) could exploit technological weaknesses and view sensitive customer data on CRMS. This could irrevocably destroy the society's reputation, reducing the number of member organizations. Ultimately, a significant reduction in yearly revenue could occur.
Staff members could exploit technological or organizational weaknesses to view sensitive customer data on CRMS. The consequences due to this threat are identical to those listed in the first risk above.
People external to the organization could exploit organizational weaknesses to gain physical access to sensitive CRMS data (for example, viewing physical copies of CRMS data). The consequences due to this threat are identical to those listed in the first and second risks above.
People external to the organization (attackers) could exploit technological weaknesses and interrupt access to CRMS. The organization's productivity would be affected while CRMS was unavailable. Staff work hours could increase by 50% for more than five days to bring the system back up and to complete tasks that couldn't be addressed while CRMS was unavailable.
Notice that the first three risks focus on the confidentiality of CRMS information, while the fourth addresses availability of the CRMS. This is consistent with how the team ranked the security requirements for CRMS.
After identifying risks to all critical assets, the team was in a position to create strategies for improving the organization's security posture.
After reviewing the risks to critical assets in relation to organizational and technological issues, the analysis team identified the following as the top three areas of improvement for the organization:
Vulnerability management. Recall that the analysis team was unable to complete Phase 2 in its entirety, because the organization didn't have vulnerability-management capability. Three of the top four risks to CRMS focused on the potential for people to exploit technological weaknesses in the computing infrastructure, enabling them to view or interrupt access to sensitive customer data on CRMS. To address these risks, the team recommended that the professional society develop vulnerability-management capability. Identifying and correcting technological weaknesses on a continual basis would reduce the opportunities for gaining unauthorized access to CRMS.
Contingency planning. The lack of defined contingency plans was identified as a major issue during Phase 1. If any of the major risks affecting business operations were to occur, the organization's downtime would likely be prolonged, because it had no defined plans for continuity of operations. In addition, the IT group was identified as a critical asset. Because the group's work processes were not documented, if anything happened to one or more IT staff members, there would be no way to reconstruct IT work processes in a timely manner. To address these risks, the analysis team recommended that the organization develop contingency plans and that the IT group document its basic work processes.
Physical access control. The analysis team identified many issues related to controlling physical access to information and systems. A breach of physical security was integral to the third risk listed above for CRMS. The team recommended that the organization charter a team to review physical security and make any appropriate changes based on the results of the review.
In addition to the four areas of improvement listed above, the analysis team also identified the following action items:
Immediately ensure that the corporate credit card is physically secured.
Implement sign-in procedures for entrance to the society's building in within the next two weeks.
Purchase a backup server for CRMS.
Purchase flood insurance. (This became an issue when the analysis team was examining the threat of natural disasters and realized that the organization had no flood insurance despite being in a flood-prone area).
All of the above action items were completed before the analysis team had finished the evaluation.