Process for Risk Assessment • Specification of the object (Business unit, one system) • Identify assets which need protection (data, systems, network, a server) • Identify threats (incidents) • Identify potential damage (harm) to the company which can be exposed as well as the frequency of such a threat. Potential Business Impact • Identify the level of threat • Identify the control enviroment • Identify the level of risk (the threat level against the control enviroments)
The K-Glove Compagny • Copenhagen (location C) – 250 employees • Sale • Marketing • Development • Administration • Copenhagen (location A) – 100 employees • Distribution • Stock (Storeroom) • A location B in China – ? employees • Production
The K-Glove Serverfarm • Copenhagen (location C) • Exchange • Sql-server • Citrix • Windows 2000 File and print –server • CRM-system • Web-server • Copenhagen (location A) • Printers • Maybe modem connection to Internet • Productionequiment connected to the Intranet • A location in China • Internet connection for e-mails
The K-Glove Network • Copenhagen (location C) • Firewall • Internet connection • Web-site connected to the DMZ1 • E-mail proxy-server and antivirus-shield connected to DMZ2 • VPN box DMZ3 • DMZ-environment use a LAN switch with five VLANs • WLAN link-to-link connection to location Copenhagen (location B) • LAN Fully Switched to the desktop • Dial-in solution with free number connected direct to Active Directory • Copenhagen (location A) • HUB based solution • WLAN • A location in China • ?
The K-Glove IT Security • Firewall • Everything is allowed from inside out • Nothing is allowed from outside to inside, only port 25, 80 and 443 • From inside to DMZ is unknown • No use of the logfile • LAN • Password to all LAN boxes is identical • PDS cabling and Coax • Radio Point connected to HUB • Radio Point uses standard configuration with WEB-encryption • No IT Security Policy • The production equipment has static password (hard encoded)
The K-Glove Case • Does the IT security fulfil the ISO 1-7799? • Choose an area to inspect, for example WLAN link-2-link connection • Follow the process for Risk Assessment • Use the form and fill in the observations
More facts to work with • System administrator is responsible for security • Backup is done (but not systematic) to tapes and cd's. Backups are stored on-site, there is limited testing of the backups. Only servers are backed up. • The server room is a normal room with access from the system administrators office. • Original software is stored in a safe. • The precise network setup is not known by the it-staff. Users have full internet access (outgoing). • Users are responsible for their own passwords. • Users sometimes store their documents on the local machines. • No documents or systems are encrypted or integrity protected. • Sales people has access from outside to all product information using the dial-in access. • The economy system (accounting, salaries, etc.) are on the database server. The access is password protected, but the password is shared among all the users of the system. • Plans for new products are distributed to A and B