Understanding Security Risks, IT Security Control Measurements, And Management Of Organizational Security Of Online Local Vet Clinic

Context

Describe about the Understanding Security Risks, IT Security Control Measurements and Management of Organizational Security of online local vet Clinic?

The organization under consideration is a small online local vet clinic. They carry put their business locally but due to the service they provide, now they are getting patients from the nearby towns also. It has four doctors, four nurses and 2 other persons for all administration and financial work. Currently they use only two computers. One for keeping all employee, order, customer details, accounting, payroll etc. and another is with Internet connectivity. Through this computer, they communicate with national veterinary organization and the suppliers of medicines etc. Thus all data about these communications, medicine supplies etc. are stored in the second computer.

They also has an online website and a web server for it. In this third system, the web data are stored and processed. The online site is used for online booking by customers, updating events etc., communicating with visitors and customers etc. In a single room, these three systems are kept. There is no restriction on entry to the room. Also there is no explicit recovery system or infrastructure there. A LAN is used to connect these three systems.

The organization has suffered from information security attacks in last few months. No data has been lost or damaged, but significant time has been wasted and their business process has been suffered severely. Due to the incident and lack of security infrastructure in the organization, national veterinary organization and the medicine supplier also has raised serious concerns.

Before expansion of the business, now the veterinary clinic want to focus on building a stronger information security infrastructure for the organization. For that purpose they have appointed an IT security Manager recently. The |IT security manager is supposed to inspect the current scenario of the organization with respect to information security. Identifying and implementing proper risk management, evaluation of the risks, identifying the required data protection processes and regulations that are applicable to the organization, analysis of the physical security infrastructure, designing and implementing a security policy for the organization, evaluating different security tools based on the policy and also conducting a security audit for the organization as an IT security manager.

In this section the information security risks of the organization will be identified and valuated.

The information technology resources and assets of the organization are the operational and transactional data of the organization. It includes different types of data and information. For example, there are customers’ information like the owner name of the pets, their contact details, credit card information etc., employee details like name, address, other contact details, certification details, payroll details of the employees, accounting and payment details, supplier details, different medical histories of the patients, communication details from national veterinary organization, customer and suppliers, the computers, web server etc.

There are several IT security risks in the information technology infrastructure of the organization. The risks are listed below,

• Their current IT security infrastructure has no physical security of data and IT resources. Particularly, there is no separate room or place for ensuring physical security of the web server. Also, data are stored in the computers itself. There is no recovery option if the computers crashes for some reason. Even there is no restriction of entry in the room where the server, computers and data are located.
• No computer, web server etc. use any information security tools or application like antivirus, firewall, proxy server etc. all information are scattered in different systems and access to those information are shared through the LAN. So, if there is some attack in the organization from the outer network or Internet, the whole security infrastructure will be exposed to the attack. The organization has already face some attacks from outside network. Thus the chances of such attacks in future has been increased.
• There is no dedicated security staffs, who can monitor the whole security infrastructure daily and identify potential risks and vulnerability. There is no security audits in the organization till date.
• There are chances of physical security risks like theft of information damage of the computers, data etc. Or more precisely, insider attacks from the employees.(Fay, 2010)
• There is no compliances with any of the security policy or regulation. In absence of that, the company may suffer from the legal consequences for data security, privacy and protection breaches, tampering intellectual property right of third parties like the customers, suppliers, employees etc.
• The organization stores and processes credit card information of the customers. If these information are stolen and misused, then the organization will be in serious trouble, as well as the customers will also be in trouble. This will directly affect their trust and reputation. The organization will be in serious legal consequences and their business will be is survival threats. The customers will no longer trust them and avail their services. (Sennewald, 2011)
• There are security risks like eavesdropping, spoofing etc. when the organization communicates with the suppliers, customers, national veterinary organization etc. confidentially. When communicating over the Internet these types of attacks are highly common. There is no use of proper security controls or measurement to deal with these kinds of attacks.

Currently the organization lacks stronger organizational security procedures. It can be said that there is no such effective procedure now. Still there are some common and best practices followed by the staffs and the management. Those are,

• Other than the employees, that is the doctors, nurses and the administrative staffs, no other persons, patients etc. are not allowed to enter in the room where the computers and the web server is located. This imposes some restriction on the entry into the room. But actually this is not effective at all. There is no monitoring or checking in the entrance of the room. Thus, in practice, anyone can enter into the room. Thus there is chances of theft of information and IT assets like hard disks etc.
• Only the doctors and the administrative staffs can access to the information in the computer and only the administrative staffs can access the web server. These computers and the web server is password protected. But there is no explicit access control.

Understanding Security Risks

Thus there are high chances of insider security risks.

• There is no privacy policy on sharing or collecting information from the customers and other third parties. Thus there are higher risks of lack of compliances with data privacy and protections, employees and the customers can raise security breach questions anytime, and the organization will be at risk. (McCrie, 2011)

In this section, there will be descriptions of the possible information security control measurements in the organization.

Currently, there is no such stronger information security control and measurement implemented in the organization. But after the recent information security attacks. The organization had installed some desktop antivirus applications in the computers and web server. But those are not updated timely and the virus database files have become outdated. The computers are not even scanned regularly for viruses.

There is no other security risks assessment procedure so far in the organization.

Currently the organization has not implemented any data protection acts or regulations. They just stores and processes third party data on their system without any consent from the owner of those data and any data privacy policy.

And there poor information security infrastructure does not conform to any data protection act currently. So, the organization is under the risks of breaching data protection requirement. According to data protection act, the organization is responsible for protecting customer, suppliers and employees data. If they fails to do so, and the data stored in their system, of while being used by them, becomes vulnerable and exposed to the information security risks or theft then the organization will be responsible.

Due to the poor IT infrastructure. The organization has already breached this act. Due to the lack of information security controls, the organization has faced some of the information security attacks and as a result all data stored in their system has been exposed to the risks.

There are several physical security issues in the organization with respect to the information security risks. The consideration of the physical security issues are listed below.

• There is no server room in the organization. Also the computers and the web server is kept in the same room that is not locked during working hours. Usually the administrative staffs are there in the room. But, as there is no monitoring or checking system while entering into the room, any person can enter into the room without any permission. So, there are high probability of physical risks of the IT resources of the organization. (Taylor, 2013)
• There is no recovery system used for the operational or transactional data. Due to any problem like electricity, surges, natural calamities etc. the computers and the web server may be damaged. In that case, all these data will be lost.
• There are high risks of insider risks as there is very little or no access control. For example, doctors are not supposed to see the payroll details. Only the administrative staffs should have access to those information. But all data are stored in the system in a scattered way. The doctors have passwords for the two computers. So they can check these information easily. (Tipton & Nozaki, 2012)
• There are high chances of insider attacks like stealing of information, unauthorized access to data, misuse of computers etc. The computers stores credit card information of the customers. These are highly sensitive information and has higher risks of theft.

In this section the possible security policies for the organization will be discussed along with the other requirements to implement the security policy, evaluation of the suitable implementation of the security tools etc. that will be needed to implement the security policy.

The security plan should ensure at least the basic security principle confidentiality, integrity and availability of information to the legitimate users (Andress, 2014 ). After analysis of the current scenario of the organization and the information security infrastructure, the proposed security policy and implementation for the organization should consider the following factors.

• First of all, they need to separate the server and the computers. The server room should have proper security controls and so is the computers. For example, they can partition the same room, and make one part dedicated for locating the web server and another for computers.
• The server room should have proper electricity controls, cooling system etc.(Taylor, 2013)
• The server room should have some automatic secure door or some monitoring system to monitor the entry, exit and all events happening in the server room.
• The operational and transactional data should be stored efficiently and with proper access controls.
• There should be clear privacy policies to be shared with the customers, employees etc. The privacy policies should contain all details like why and what data are being asked from them, why the data is required, how those will be used etc. The privacy policy is needed to be confirmed from by the owner.
• The web server is needed to be protected by suitable firewall, proxy server etc. So, that it can be secured from the outsider attacks and hacking attacks.
• The computers are needed to be password protected, the antivirus applications are to be installed and maintained properly. (Vacca, 2010)
• If not required, the organization should refrain from storing sensitive information like credit card details of the customers. It is not needed for further data processing, but needs higher degree of data protection implementation. Thus the organization should ask for and store only the information that are being needed.
• There should be recovery plan and implementation for the data. It will introduce redundancy in the infrastructure to some degree. But this redundancy is very much needed for ensuring availability of the data.
• There should be use of encryption while sharing sensitive information. Especially from the website, when it accepts booking and payment from the customers, then it should enforce proper security encryption mechanisms to protect those data. (Whitman & Mattord, 2013)
• There should be use of proper authorization process to ensure the identity of the user when someone requests some kind of access to data. Based on the level of sensitive data and access control privileges etc. For example, the payroll details are needed to be accessed by the accountants only and the owner of the payroll details. One doctor should not be able to see other employees’ payroll details.
• There should be detailed vulnerability analysis and penetration test for identifying all vulnerabilities in the current information security infrastructure of the organization. These tests are needed to be carried out periodically as the information security risks are very dynamic in nature.

To enforce the security policies described in the previous part, following tools are needed to implement those in the organization

• Biometric Doors can be used to restrict the entry in the server room. This will provide higher degree of physical security.
• They may use security cameras installed in the computer room and server room to watch and record the activities in those rooms. It will help to reduce the physical security considerations significantly.
• The organization needs to implement a proper network structure. There should be a router installed separately to the junction point of internet and the LAN. (McCrie, 2011)
• The web server should be protected by some proxy server. The proxy server will have firewall installed and it will bypass the traffics from the Internet to the web server. Thus the risks of attacks from the internet will be reduces and the data on the actual web server will be secure. However, one thing should be remembered, that the firewalls can reduce the risks of outsider attacks not the insider attacks. (Partida & Andina, 2010)
• Data should be stored and processed in some database. The computers are not suitable for storing operational and transactional data. Databases will help in organizing the data suitably and it will be easier to implement access control and authentication processes. (Snedaker & McCrie, 2011)
• There should be implementation of access controls in the database and the LAN network. Also there should be properly setting of privileges and levels of access controls for different groups of users like the doctors, administrative staffs, DBA etc.
• Antivirus software are needed to be installed in the computers properly. Updating and upgrading of the same is also required. (Fay, 2010)
• Cryptography and encryption techniques like public key cryptography, digital signature should be used while communicating confidentially with the suppliers and national veterinary organization, customers etc. This will reduce the risks or spoofing, tampering, eavesdropping type of attacks.
• There will be clear guidelines for the users who will work on the information systems. The users are bound to follow these guidelines.
• There should be proper implementation of the data privacy, protection and computer misuse acts.

Conducting an information security audit will consider the following factors,

• Basic IT infrastructure of the organization.
• The scope of the audit. Including the vulnerability assessment, external scanning, devices, verifications, data backup plans, access and privilege controls etc.
• Different policies
• Human factors
• Information systems
• Networks

Etc.

There are several issues in each of these factors. The audit checks and proposes controls to manage the human behaviors in the organization to optimize the information security of the organization. In the current organization. In the audit, it will focus on how the human resources of the organization are following the information security best practice guidelines, for example, restrictions of use of computers, data, network, |Internet etc. Because implementation of proper information security controls depends on this human resource factors. If they are not following the guidelines then there are higher chances of insider attacks and the use of all information security tools and infrastructure will have very little use. For an example, the employees have installed antivirus in the computers, but do not updates it. Thus there is no effectively of using an outdated antivirus. (Tipton & Nozaki, 2012)

References

Andress, J., 2014 . The Basics of Information Security. s.l.:Syngress.

Fay, J., 2010. Contemporary Security Management. s.l.:Elsevier.

McCrie, R., 2011. Security Operations Management. 2nd ed. s.l.:Butterworth-Heinemann.

Partida, A. & Andina, D., 2010. IT Security Management. s.l.:Springer .

Sennewald, C. A., 2011. Effective Security Management. s.l.:Elsevier.

Snedaker, S. & McCrie, R., 2011. The Best Damn IT Security Management Book Period. s.l.:Syngress.

Taylor, A., 2013. Information Security Management Principles. 2nd ed. s.l.:BCS Learning & Development Limited.

Tipton, H. F. & Nozaki, M. K., 2012. Information Security Management Handbook. 6th ed. s.l.:CRC Press.

Vacca, J. R., 2010. Managing Information Security. s.l.:Syngress.

Whitman, M. & Mattord, H., 2013. Management of Information Security. s.l.:Cengage Learning.