The PowerPoint file is what needs to be analyzed.
SWOT Analysis
Don't use plagiarized sources. Get Your Custom Essay on
SWOT Analysis
Just from $13/Page
In preparation for the final submission to the management team of PVSS, you will create a strengths, weaknesses, opportunities, and threats (SWOT) analysis of the presentation from the group project.
In an analysis of 2–3 pages, create the following:
· A SWOT analysis of the Group Project presentation.
· Critique the presentation, and describe what could have been completed better. Explain why.
· A certification and accreditation document for review and signature by all respective parties.
Group 1
Robert O’Cull, Stephen Simmons, Akinwumi Akinro, Helen Bosomprah
ITAS669-1905D-01
1
Group 1
Information Systems Audit for PVSS
PVSS Audit
This presentation will demonstrate the groups’ ability to perform research and develop a portion of an information systems audit for a fictitious company. The group will identify vulnerabilities within the IS framework of the company. The group will discuss the development of specific policies for implementation within the fictitious company. The policies developed will be applied against the identified vulnerabilities to determine how they will be used for mitigation.
2
Vulnerabilities
No device is 100% Secure
Any vulnerability can be exploited
An exploited vulnerability will disadvantage the network
There is no network/device that’s 100% secured in the world. If it is connected to the internet, there are always vulnerabilities that can be exploited in it to the disadvantage of the owner and advantage of malicious individuals.
Akinwumi Akinro
3
Vulnerabilities
Users (Passwords/clicking of malicious links)
Web Server
Firewalls
When it comes to IT, there are many possible vulnerabilities that can occur. Uncovering and being able to counter these vulnerabilities is what makes a risk assessment audit so important.
Stephen Simmons
4
Vulnerabilities
Not patching OS
Gateway routers or Access routers
Firewalls
Applications that are outdated, buggy or not patched
List of vulnerabilities continued.
Akinwumi Akinro
5
Users
Passwords
Clicking of malicious links
Being aware of IT policies
Auditing of Users
Users can pose a major threat to the security of a network and its data. From their password choices to the possible clicking of malicious links while using the organization’s network.
Users of the organization’s network and IT resources should always be aware of the organization’s IT and network security policies. Being aware of these policies should help them make better decisions while they are logged into the organization’s network.
When auditing the Users there are several things that the auditor should test for. These tests should include:
– Testing password strength, which would include testing that passwords meet a set minimum length as identified in the password policy. Also testing password strength by ensuring passwords use a mix of characters as identified in the password policy.
– Making sure passwords are changed according to the password policy which should also ensure that Users don’t use the same password over and over.
– Keeping a log of user activity to ensure Users aren’t clicking on malicious links or engaging in other activity that could compromise the organization’s network or data security.
Stephen Simmons
6
Web Server
Provide a presence on the internet
Allow for customer interaction
Auditing the Web Server
Web servers are important for an organization because they allow a business to have a presence on the Internet. This presence is represented by a website of some sort that allows Internet users to learn about an organization or interact with an organization.
However, because a web server requires an Internet connection, it can possibly present a vulnerability to an organization’s network and data security.
When auditing a web server for possible vulnerabilities, there are several things an auditor should look at. These include (Sollicito, 2001, para. 7-11):
Testing to ensure that a web server is properly installed and configured.
Should make sure that the web server isn’t run as the superuser (or root). Doing this could give unexpected privileges to website users.
– Ensure that a minimum number of services are available. There are many services that can be turned off in many situations. Some of these include SMTP, FTP, Telnet, DNS, CGI, and ASP.
– Should ensure that all unused ports on the server are closed. Going through open ports is a common method used by hackers.
– Should test and ensure that any old or unsafe scripts are removed from the web server.
Restriction of access, whether by IP or DNS hostname, is possible if an organization deems it necessary. If so, then it should be tested to ensure that it is being used.
Stephen Simmons
7
Firewalls
Help secure a computer network
Monitor incoming and outgoing traffic
Function using a set of defined rules
Auditing the Firewall
Firewalls are one of the key tools used to help secure a computer network. Firewalls work by monitoring incoming and outgoing network traffic. Firewalls can make decisions on whether to block or allow specific traffic based on a set of rules, which can usually be set by the administrator.
Firewalls are an important part of a secure network. However, firewalls may contain vulnerabilities, making it important to audit them to ensure that the network is as secure as it can be.
It is important to audit a firewall as they increase chances of catching weaknesses in network security. There are a few things to test a firewall for when running an audit. These include (Hamelin, 2011, para. 2, 4-5, 9-11):
– Auditing the Change Process
– This is usually one of the first things to test when auditing a firewall. This tests the change policy currently in place for a firewall. The goal of auditing the change process is to ensure that all changes to the firewall are properly approved, documented, and implemented.
– One way to test the change process is to pull a few change requests at random and have a few questions ready to be asked about each change.
– Auditing the Firewall Rule Base
– This test audits the policies that govern the firewall. This one is heavily dependent upon technology. This test centers around a ranking system for each firewall in place and several questions about the rule base which are usually centered around basic policy maintenance and good design practices.
– Running this test will require at least minimal access to each device. It will also require at least a year’s worth of logs which should give the auditor an idea of the rules being used.
Stephen Simmons
8
Not patching OS
Patches should be applied immediately
Don’t be reluctant out of fear
80% of attacks could be prevented
Create a test environment
Patching is recommended to be done promptly as soon as the patch is released to the public.
Organizations are sometimes reluctant to apply these patches to their systems because the new patch might cause some essential software to start misbehaving.
its estimate that around 80% of attacks occurs using the vulnerability that was recently patched in an OS. This hackers do by comparing the available patch with the old software to know the vulnerability that was patch thereby exploiting that vulnerability in organizations that are slow to apply the patch.
Organizations need to have a test environment in which the effect of new patches can be examined before deploying over the whole network. Patching need to be done as soon as practically possible and whenever possible, automatic patching can be utilized
Akinwumi Akinro
9
Gateway routers or Access routers
Denial of Service (DOS)
Routing table poisoning
Persistent attacks
One common attack on the router is The Denial of Service (DOS) attack. This is done by flooding the victim’s network with lots of packets using Internet Control Message Protocol (ICMP) over a short period of time. These requests in turn overloads the network more than it can handle all at once and as a result, the network goes down holding a whole organization to a standstill. A good network configuration and the services of a good network administrator can prevent these from happening.
Other forms of router attacks are; Routing Table Poisoning, Persistent Attacks, etc.
Akinwumi Akinro
10
Outdated Applications
Bugs/Coding errors
Missed patches
Address as soon as possible
Running an outdated program on your device can cause bugs, incompatibility issues and cause hacker to have access through unpatched back doors.
Bugs are coding errors that causes the system to take unwanted actions. Some bugs can cause the system to crash, while some can allow access elevation of unauthorizes persons.
All these are security vulnerabilities that needs to be addressed as soon as possible to avoid damages to your network or devices.
Organizations need to update all applications and remove any unsupported applications promptly.
Akinwumi Akinro
11
Creating A Policy
Policies are directions.
Policies detail how to perform, react, or they list job requirements.
Responsibilities must be written as tasks (a job that can be performed)
The policy must detail its authority
The actual policy statement should be direct and to the point.
Responsibilities must be written as tasks. An action that can be performed.
Enforcement and violations are the sections that give the policy its authority.
Enforcement will describe who is the backing force behind the policy. This should be the highest level of the organization that the policy applies to. It should identify if the policy is administrative or punitive. This simply dictates whether an individual could be penalized for violations.
The violations portion will describe actions that could be taken if the policy is not followed.
Robert O’Cull
12
Entity Level Policy
This policy will focus on values and ethics.
The policy highlights the user’s ownership of the network
Responsibilities are focused on overall network protection
This policy will identify how every user has a stake in the protection of the network.
Policy: Protection of the information technology assets and services is a shared task. Each user is responsible for the security and integrity of the network they are using. It is up to everyone who has access to the network to do everything they can to not allow hostile code or malware to gain entry.
This policy details what a user must do to protect the network and what actions to take if the network is threatened. This policy will help mitigate the user vulnerability. It will also aid the IT team to identify poorly patched or buggy systems or applications.
Responsibilities: Protection of your passwords, tokens, or secure VPN access information is critical to the security of the entire network. Minimum requirements for passwords will be set forth in the password policy. Users must immediately report any suspicious activity or contact regarding the security of the network to the Information Assurance team. If they are unsure of the validity of any action, link, or electronic communication, regardless of medium, they should report it. Err on the side of caution. The IA team is tasked to regard all reports as viable threats and perform an investigation until satisfied that the threat is contained, neutralized, or nonexistent.
This policy applies to the entire company, so it is signed by the CEO. The signatures of the two highest ranking members of the IT department show that the CEO is under advisement by them regarding this policy. Since violations of this policy can be enforced to give reprimand to an employee, it is punitive.
Enforcement: This policy is punitive in nature and signed by the Chief Information Officer, The VP of Information Security, and the CEO.
Violations: Violations are subject to disciplinary actions ranging from verbal warning to termination.
Robert O’Cull
13
Network Level Policy
This policy will regulate network access
IT department will be granted authority over software access
Responsibilities will outline levels of access control within the organization.
This policy will dictate the need to regulate network access. It will permit access to those who need it, while denying access to those without justifiable requests.
Policy: In order to maintain the most effective policy of network usage, system and network access and availability will be limited to only that which is necessary to perform required duties, actions, or responsibilities within the information technology framework. Access will be granted to those who are shown to have a specific need to utilize the requested resource.
This policy details what a user must do to gain network access. The IT department is protected by this policy as well. It outlines who is responsible if access is delayed due to missing or improper requests. It will also give authority to the IT department to regulate the software granted access to the network. This policy will help the IT team to maintain control and access to routers, firewalls, and other systems to keep them protected. Buggy or malicious software can be analyzed and kept from being added to the network if it poses a threat.
Responsibilities: The user must ensure they request access to the resources they need in a timely manner. The IT department will not be responsible for any missed information or lack of access to required data based on access not being requested properly. Supervisors and managers must approve or deny access requests for their personnel. Access must only be granted if the user has a genuine work-related need for the information or access level requested. If the supervisor or manager is unsure of the information contained in the request, they must submit to the IT team for clarification. The IT team must process all approved access requests in a timely manner. If the IT team is unsure of the nature or functionality of a specific program requested, they will perform offline testing on the software or application before allowing it access into the network. Minimum requirements for passwords will be set forth in the password policy.
This policy applies to the entire company, so it is signed by the CEO. The signatures of the two highest ranking members of the IT department show that the CEO is under advisement by them regarding this policy. Since violations of this policy can be enforced to give reprimand to an employee, it is punitive.
Enforcement: This policy is punitive in nature and signed by the Chief Information Officer, The VP of Information Security, and the CEO.
Violations: Violations are subject to disciplinary actions ranging from verbal warning to termination.
Robert O’Cull
14
The main objective of this policy is to regulate operating system access.
To ensure employees are granted access to data based on their job function.
Privilege IT functions will be limited to the appropriate employees
Operating System Level Policy
This policy will help establish operating system access. This will help eradicate unauthorized access and grant access based upon authentication.
POLICY: The operating system manages system resources and every activity carried out by a computer system. To secure the operation system, access will be based upon authentication of users against their passwords and tokens. Approval of access must be in line with access granted on the system by the system administrator.
This policy will ensure that all users who have access to the system will be limited to system resources based on their job functions after the system has verified their identity in connection to what is established within the system. This will then enable the IT department to grant access to resources on the operating system, as well as monitor and control who access what and when.
Responsibilities: Users must ensure their access is approved by the IT department and their passwords can be authenticated based on what is established within the operating system. Users must not share their passwords and these passwords must be change within the established timeframe. Users must ensure that workstations are locked if inactive. The operating system will be regularly patched to prevent any bugs and vulnerabilities in order to ensure optimum security.
Enforcement: This policy will be enforced by the Chief Information Officer and the Information System Administrator.
Violation: Noncompliance will range from verbal warnings to termination.
Helen Bosomprah
15
Web/Database Level Policy
This policy will help establish optimum security to sensitive data.
Access to web/database will be regulated.
Privilege access will be monitored.
This policy will regulate who can access the web/database.
POLICY: Web/database level policy will help manage permissions on a server by securing and limiting access. PVSS must ensure that their web servers are highly secured and there are established policies or controls to manage and limit access since these servers contain highly confidential and sensitive information.
This policy would outline who will have access to the web/database. Data contained in the database are highly confidential and important, thus controls must be established to limit access to the right users and these users must be constantly monitored. The IT department must only grant access to only authorized users whose job function is manage the database.
Responsibilities: All users must ensure the web/database is protected to prevent unauthorized access. The IT department must monitor every activity of privilege users to the database to prevent any breach of security . Installations and configurations must be conducted properly. A patching calendar can be created so no patching which is essential and plays vital role in ensuring web security is not missed.
Enforcement: This policy will be enforced by the CEO, Chief Information Officer and the Information System Administrator.
Violation: Noncompliance will range from verbal warnings to termination.
Helen Bosomprah
16
Password Policy
This policy ensures the creation of strong passwords
Responsibilities will provide specific password requirements.
The Policy is administrative. Enforcement relies on other punitive policies that reference this one.
This policy will dictate the need to create strong passwords.
Policy: Strong passwords are essential to the protection of network assets. The creating of a password must adhere to a high level of security. By setting forth minimum password requirements, a standard level of protection can be maintained.
The specific requirements for a password are detailed. The IT department is also tasked with ensuring each system will not accept passwords that do not fit the identified requirements. This policy will greatly help the protection of the network. Having strong access control is a major step in limiting vulnerabilities.
Responsibilities: : The IT Department will ensure every system requiring a password will be set to standards outlined in this policy. Each user will follow the requirements of this policy when creating passwords. Passwords will be:
A minimum of 10 characters in length
Contain at least 1 uppercase letter
Contain at least 1 lower case letter
Contain at least 1 number
Contain at least 1 special character (!@#$%&?)
Not contain any dictionary words of three letters or more
Not contain more than 2 repeating characters (Aabb11!!)
Not contain more than 2 running characters (Abab12!@)
Not be one of 10 previously used passwords
Not contain more than 2 characters of the corresponding username
Not be more than 90 days old.
This policy applies to the entire company, so it is signed by the CEO. The signatures of the two highest ranking members of the IT department show that the CEO is under advisement by them regarding this policy. Since this is simply an outline of how a system should be set up, it is administrative. It has enforcement authority because it is referenced by other punitive policies. If somehow the IT department does not program a system to require these settings, they can be held accountable under another policy (Network, OS, etc.) . If a user does not follow these guidelines when creating a password, even if the IT team did not set up the system to require them, They can be held accountable under the Entity policy.
Enforcement: This policy is administrative in nature and signed by the Chief Information Officer, The VP of Information Security, and the CEO.
Violations: This policy is an augmentation to other policies that reference to it. Failure to meet the guidelines of this policy will be used as extenuating factors while enforcing other punitive policies.
Robert O’Cull
17
Reference Slide
[Masthead 1] (2012)Retrieved from https://mycampus.aiuonline.com/pages/
MainFrame.aspx?ContentFrame=/Home/Pages/Default.aspx
Masthead 2] (2012)Retrieved from https://mycampus.aiuonline.com/pages/
MainFrame.aspx?ContentFrame=/Home/Pages/Default.aspx
AIU Online Virtual Campus: Home (2012) American Intercontinental
University. Retrieved from https://mycampus.aiuonline.com/pages/Main
Frame.aspx?ContentFrame=/Home/Pages/Default.aspx
American InterContinental University. (2019). Unit 4: Creating the Report [MUSE]. Retrieved from American InterContinental University Virtual Campus, ITAS669-1905D-01: https://mycampus.aiu-online.com
18
Reference Slide
Hamelin, M. (2011). How to Conduct a Firewall Audit. Retrieved from:
https://www.crn.com/blogs-op-ed/applications-os/231903353/how-to-
conduct-a-firewall-audit.htm
Sollicito, M. (2001). How to Perform a Security Audit – Part 2.
Retrieved from: http://www.ciscopress.com/articles/article.
asp?p=24603&seqNum=3
Davis, C., Schiller, M., Wheeler, K. (2011). IT Auditing: Using Controls to Protect Information Assets. New York, NY: McGraw Hill. Retrieved from https://www.vitalsource.com/
Magee, K. (n.d). Database technology and controls. Retrieved from https://resources.infosecinstitute.com/itac-database/
Franklin, C. (2020). How operating system works. Retrieved from https://computer.howstuffworks.com/
19
Reference Slide
Francis, Paddy (2017) Patching is vital and essentially a risk management exercise Retrieved from https://www.computerweekly.com/news/450421649/Security-Think-Tank-Patching-is-vital-and-essentially-a-risk-management-exercise
Winkler, Ira and Treu, Araceli (2017) Software Vulnerability. Retrieved from https://www.sciencedirect.com/topics/computer-science/software-vulnerability
Palmer, Danny (2019) That out-of-date software is putting you at risk. Retrieved from https://www.zdnet.com/article/pc-security-warning-that-out-of-date-software-is-putting-you-at-risk/
20
