An insurance firm contracted you as a security expert. The firm has changed ownership many times and does not have any IT presence or systems use policies and procedures in place. Currently, the data center is accessible to any employee or visitor at any time of the day. As a result, the company's data is vulnerable to damage and/or theft. To remedy the situation, the company hires you as part of the team to implement improvements. To organize and present your suggestions, you create a Course of Action (CoA) matrix. To be effective, you decide that the matrix should utilize a mix of control classes and functions.
Notes and Requirements
- Utilize a combination of operational, technical, and managerial security solutions.
- Identify appropriate solutions and their control function type.
- The data center is in a heavily-traveled area of the building and should be secure.
- Systems use needs hardening.
- Management requests a synchronized backup solution.
- Management requests a physical lock on the datacenter door.
- Management is open to using written policies to reinforce how the firm uses systems and data.
- Management would like access to be role-based.
- The firm's location is a shared space, that has 24 monitoring personnel.
ANSWERS
| Issues | Controls | ||
| Technical | Operational | Managerial | |
| Datacenter Security | Locking mechanism requested - BIOMETRICS | Monitoring solution suggested - SECURITY GUARD | Set company expectations - SECURITY POLICY |
| Systems Security | Implement an auditing process - EVENT LOGS | Establish role-based permissions - STAFF RESPONSIBILITIES | Set staff expectations - ACCEPTABLE USE POLICY |
| Disaster Recovery | Syncronized storage plan - CLOUD SERVICE | Create an inicident response plan - RECOVERY PROCEDURES | Establish Guidelines - INCIDENT TRAINING |
REASONING
Securing the datacenter is a high priority. Since management requested a physical lock, you recommend a biometric lock. As the firm’s location is in a shared space with a 24-hour security presence, you recommend that a security guard add the datacenter to the routine rounds. You also suggest that management create a policy regarding the appropriate personnel and their use of systems in the datacenter.
In effort to secure systems use, you recommend using an audit policy that will log all (successful and failed) logins for the systems. As management requests that the use of systems and related permissions be role-based, it is essential in understanding and outlining departmental roles and rights. Lastly, you recommend that management create a specific systems use policy to govern what personnel may and may not use the systems for.
For the area of disaster recovery, you recommend a cloud sync service for data as requested. As part of operational goals for the firm, you also recommend an incident response plan. This plan will address contacts, and the order of procedures to follow, in the event there is an incident. An overall training program, approved by management, will complement the incident response plan.
