SlideShare a Scribd company logo

IT-Audit C&A

Download as DOCX, PDF
M
Mang Sum

The document summarizes the findings of an IT audit conducted at Tulsa Community College's West Campus. It identifies several security deficiencies including social engineering, lack of emergency plans for tornadoes and power outages, outdated software, and improper maintenance of Active Directory services. Recommendations are provided for each issue such as implementing security awareness training, developing emergency plans, ensuring software updates through SCCM, and regularly reviewing and disabling inactive user accounts in Active Directory. Addressing these deficiencies would improve security and reduce risks of data loss, system downtime, and unauthorized access.

1 of 15
11/30/2015 IT Audit Tulsa Community College West Campus Administrator IAN LEWIS, JOEY TRAN, MANG SUM, SUSAN STEWART, ANDREW BABB
1 IT Audit Table of Contents Executive Summary……………………………………………………………………………….2 Social Engineering………………………………………………………………………………...3 Tornado……………………………………………………………………………………………4 Loss of Power……………………………………………………………………………………..4 Software Updates………………………………………………………………………………….5 Active Directory…………………………………………………………………………………...6 Malicious Internal Access…………………………………………………………………………8 Unauthorized Physical Access…………………………………………………………………….9 Environmental Threats…………………………………………………………………………...11 Malicious External Access……………………………………………………………………….11 Loss of Hardware………………………………………………………………………………...12 Summary Statement……………………………………………………………………………...14
2 IT Audit Executive Summary Tulsa Community College, TCC, is a multi-campus higher education institution. The goal of TCC is to provide education to a diverse student body through various means of instruction. Because TCC does run a multiple campus college, their technology infrastructures and security concerns are centralized. Yet, each of the individual campuses do have on site controls particular to themselves. Since these campus operate somewhat independently, we have chosen to focus on the TCC West Campus for our project. Although the West Campus does have many positive security preventions and policies set in place, we have found important deficiencies that could be immediately improved with little or no costs involved. The major deficiencies that we found include the following areas; Social Engineering, Tornado, Loss of Power, Software Updates, Active Directory Services, Malicious Internal Access, Unauthorized Physical Access, Environmental Threats, Malicious External Access, and Loss of Hardware. In conclusion, it is recommended by the team that the security measures suggested within this audit be implemented during the current budget year. Since some departments throughout the college struggle with spending, it is important to introduce these controls, early, to help assist with financial anxieties that the current State of Oklahoma is dealing with.
3 IT Audit Social Engineering A successful attempt in Social Engineering results in giving up sensitive information such as student ID, Date of Birth, Pin Number, E-mail, and Password. Sometimes, even, directing and exposing internal network structure to hidden or critical systems. Using Social Engineering to gain knowledge of how the network is set up can lead to having the authentication for that system. With that authentication, the hacker can easily harm and ruin the reputation of Tulsa Community College. Harming can include downloading sensitive information such as personal information, or deleting the entire database. Risk Mitigation and Loss Expectancy A security awareness training program must be implemented and launched to assist in preventing social engineering attacks. If people know what form a social engineering attack is likely to take, they will be less likely to fall victim to one. Tulsa Community College also must perform penetration testing using social engineering techniques. This will allow security teams to know which users pose a risk and can take steps to remediate that risk. Recommendation The security awareness training program must continue every 3 months. Using Social Engineering Toolkit (SET) is a useful tool to create social engineering attacks. Occasionally, penetrate using social engineering techniques. Based on the results, the duration of the program and penetration testing must be adjusted. If the result scores are higher than expected, then the continually use of security awareness training program and penetration testing must be introduced more frequently.
4 IT Audit Tornado Tulsa Community College buildings are built to withstand a Tornado. But, it does not guarantee the safety of the staff, students, and equipment. Therefore, a lack of Emergency Plan potentially threatens the safety of staff, students, and equipment in case of Tornado. The Emergency Plan must be written in detail of the emergency procedure. Risk Mitigation and Loss Expectancy As with any threat, there is the possibility of actual loss. The loss associated with this particular threat would be the actual cost of the buildings and the assets. The natural threat of Tornado occurs about three times annually. That leads to an Annual Rate of Occurrence (ARO) of 3. The Single Loss Expectancy SLE from this threat of tornado is projected to be $1,000,000. The value of SLE doesn’t reflect the true value of the assets. The Annual Loss Expectancy ALE is calculated to be (SLE * ARO) = $3,000,000 (estimated figures.) Recommendation When considering the present stage of the system, we recommended that you follow up and implement all the recommendation we have provided. However, this is just the conditional: by implementing the recommendation, we believe that the functionality, efficient and security should be measure up the standard of regulation and procedure. Loss of Power A loss of power would result in a loss of access to computers and files stored on the cloud or locally. A short term loss of power would lead to a temporary interruption of business activities and cancellation of classes on the campus. Because power is required for classes to run and for
5 IT Audit business activities to continue, an extended outage would result in the campus closing for an extended period of time. Risk Mitigation and Loss expectancy The annual loss expectancy for the TCC West Campus would be low. Since the campus is not the main source of income for Tulsa Community College, the annual loss expectancy will be low. The Average rate of occurrence for a loss power is estimated at twice per year. Recommendation Although the loss expectancy is low for a loss of power of the campus, it is important for the college to maintain power to their systems at the campus. Previous power outages at other campuses have ranged from a few minutes to a few hours. TCC West Campus should have a UPS for the network and servers. The school should also have a UPS system for the administrative computers, if not all the computers on the campus. The computers should have a shutdown time set at 45 minutes to give enough time for to save and back up any files. The network and servers should have a shutdown time set at two hours to provide a large enough window for power to be restored and allow users to access data without much downtime. Software Updates Maintaining software updates are a key factor in maintaining security throughout the system at TCC. If the computers, servers, and firewall servers are not kept up to date, TCC West Campus can be left vulnerable to attacks and malware. Most activities at TCC are done online now. TCC has a system center configuration manager (SCCM) that is used to provide patch management and software distribution. The SCCM at TCC West has been down, therefore, there is no simple
6 IT Audit and centralized system to update software and patch the computers. Consequently, a lack of process for updating software is a potential threat that can compromise the security of not only the campus, but Tulsa Community College’s entire system. Risk Mitigation and Loss Expectancy Failure to properly maintain software updates can range from a low loss expectancy to a high loss depending on the software that needs to be updated. If security updates are not applied, there will be a high loss expectancy. A small update such as iTunes or the latest version of Adobe PDF reader would have little to no loss related to it. Recommendation It is recommended that Tulsa Community College West Campus get the SCCM up and running. Having the SCCM updated will make it efficient and will ensure that all computer systems are consistently updated. Updating the software will mitigate the risks of having unpatched software. The threat of hacking is made more difficult by keeping software patched and updated, and, thus, lowering the potential chances of having a system breach. Active Directory Services The failure to properly maintain an Active Directory can potentially produce an insecure operating environment for the network of the TCC campus. Having the Active Directory maintained is crucial to ensuring that users in the domain have access to only the resources and information that is required of their respective level in the organization, as it should be based on the principal of least privilege. In addition, individuals who are no longer associated with the organization should have their respective rights reviewed, configured, and/or disabled under the
7 IT Audit management of Active Directory so as to not provide unauthorized access into the system. This system contains multiple entities of sensitive and personal data that can potentially be exposed and compromised due to unauthorized access granted by failure to properly maintain the Active Directory. The potential of unauthorized access to the system due to an improperly maintained Active Directory may lead to malicious system attacks, which may cause system downtime and/or outage. Unauthorized access of an administrative level account due to improper maintenance of Active Directly may lead to malicious attacks on Active Directory itself, including the Domain Controller. Risk Mitigation and Loss Expectancy In order to properly mitigate the risk of a compromise of the system due to Active Directory, a combination of controls and policies are needed. An individual must be assigned to manage and review inactive accounts of individuals who are not associated with the organization. A common method used should be to review accounts older than a specified age if they exist and aren’t already disabled, review the account, and take the appropriate action. An example would be to select an account, review the student and/or individual’s status with the organization, and if they are no longer associated or attending, then configure the account to be disabled so that no further access is granted. As our team was able to access the campus network and resources via logins over a year old from previous student access while attending the campus, this is where our main focus lies in regard stop mitigating risk via Active Directory. Recommendation In addition to having implemented a policy and control for maintaining an up to date and secure Active Directory, the organization must also account for the personnel and time resource needed to maintain the control. The individual responsible for maintaining the control will review and
8 IT Audit configure unused accounts and should maintain a history or log of all changes made to what accounts and when the changes were made. This will not only serve as documentation for the organization, but will also allow for a trail to be followed in the event of an audit. Due to the nature and flux of mainly student statuses in the organization, that this control should be reviewed at least once every week to maintain secure and updated Active Directory user groups and accounts. Malicious Internal Access Malicious Internal Access is one of the most understated threats when it comes to securing an organization’s information assets and it is no different for the TCC West Campus. An insider threat can allow for a loss of extremely sensitive company information and assets. As previously reviewed in the Active Directory control, the on-going issue of properly maintaining the Active Directory can allow for increased threat potential of malicious internal access. Risk Mitigation and Loss Expectancy There is an enormous amount of trust (or lack of awareness) to any system administrator if an internal person decided to maliciously access any data while employed by TCC, or even after termination, if the proper policy is not followed to terminate access following unemployment of an administrator. In addition, access to a terminal to pursue malicious internal access is complemented by the lack of control over unauthorized physical access. Recommendation In order to properly implement risk mitigation for Malicious Internal Access, a number of measures can be taken. Firstly, an indirect method of risk mitigation is correcting the Active
9 IT Audit Directory maintenance security control. This ensures that no user has more access than needed to any confidential data and ensures that the discontinuation of access is implemented. Another method, is to deploy a software solution that allows for active monitoring and remote control of user sessions and access, and reports live monitoring data of any suspicious activity. Multi- person access authentication can also be implemented in order to reduce the risk of any one individual obtaining access to data that is not pertinent to their position and to increase awareness of such attempts. This software implementation, when properly configured, will also increase available logs and documentation in the event of an incident for inside and outside risk assessments and/or audits. Unauthorized Physical Access When main school hours are not in session, the TCC West Campus’ policy is to have most of the building’s doors locked and access is not permitted. This policy is currently maintained by having a selected security personnel travel to each entrance or doorway and manually lock the doors and entrances. At this time, there is no way to verify that every door was locked to provide security in the buildings to which access should not be granted. Our main focus was on this risk, as our group performed a check of this policy and found that we were able to access a building that was not supposed to be accessible to personnel via an unlocked door. This risk not only allows for property to be stolen, but any sort of documentation that is potentially not properly secured or information that is exposed can be at risk of theft. In addition, a single unauthorized access point can allow for multiple access points to become accessible, furthering the potential damage and security concern.
10 IT Audit Risk Mitigation and Loss Expectancy In order to address loss expectancy, we must review the potential controls that can be implemented and the damages from a security incident. The cost could range from a few hundred dollars to multiple thousand depending on the security control implemented. An implementation of extra personnel rounds, cost of time, and wages must be accounted for. If an electronic system was implemented, the cost would be multiple thousands for the purchasing of equipment, maintaining software, training time and expense, and implementation testing that would all require additional time and training. A security incident involving unauthorized access would potentially risk a loss of physical assets including any documentation that may have FERPA regulations attached to it, creating additional incident exposure and possible penalties. Recommendation In order to properly mitigate this exposed security control, a number of measures can be taken. The doors are all manually controlled to be locked or unlocked and each individual door is separate from all others, and must be individually addressed when this policy is in action. A possible solution is to implement and maintain an electronic locking control system on all of the doors on the campus that can be centrally maintained. With such a system it would be possible to centrally control the securing of doors and access points and an ability to verify that the doors that need to be secured are indeed locked. A second possible option is having multiple personnel making the checks on doors, verifying that they are locked, and reporting back with the status of the securing of doors and access points. Although this method is more cumbersome and time consuming, it is also less expensive and easier to implement with a change of policy. This will allow for extra safeguarding against potential quality control failures in securing the campus.
11 IT Audit Environmental Threats Environmental threats may occur due to accidents or unexpected changes in the environment. The impact of an environmental threat, specifically fire may include destruction of information technology assets and enterprise premises. Risk Mitigation and Loss Expectancy The loss associated with the threat of fire is the building structure and the contents. The building that houses the computer lab is equipped with a fire suppression sprinkler system which is water based. Any instance of fire in the computer lab will result in a total loss of assets. The ALE is calculated to be 1% * 3,000,000 SLE = $300,000 Recommendation Re-evaluate the computer lab fire protection system and have the system re-fitted with a Halon type system Malicious Outsider Threats An outsider threat occurs when someone outside your organization seeks to gain protected information by infiltrating and taking over the profile of a trusted user. A malicious outsider depends on the weakness in the authentication process, which is the result of human error. People, process and technology help to reduce the vulnerabilities that exist in products, software and technologies.
12 IT Audit Risk Mitigation and Loss Expectancy The more commonly used a program is the bigger target it represents and the more likely it is that vulnerability will be exploited. Existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. Most software companies release patches for download. Contact software vendors to receive updates, patches or vulnerability alerts. Patch all devices to prevent the vulnerabilities that exist in products, software or technologies from malicious outsider threats. There are no costs associated with updates, patches or alerts. Recommendations Prevent any vulnerability that exist and routinely monitor anti-virus software for updates and install the updates as recommended. Loss of Hardware Loss of hardware may occur due to environmental damage or theft of hardware from the premises. The loss of, or damage to hardware will have an immediate impact, which may affect the institutions staff and student body. Risk Mitigation and Loss Expectancy Loss of hardware may occur due to environmental damage or theft of hardware from the premises. The loss or damage to hardware will have an immediate impact, which may affect curricular activities. The system units at all workstations are vulnerable to theft. The system units are attached under the desks with a sliding bracket. The ALE is calculated to be 10% * 600 SLE = $60.00
13 IT Audit Recommendations Purchase and install Byte Brothers Loc Kit 1. This is an industrial adhesive kit. The peel-and- stick security system provides asset control and prevents theft. There are many other options available, but this particular kit is the most cost efficient solution. The Loc Kit can be for purchased for $19.10.
14 IT Audit Summary Statement After reviewing all the threats and vulnerabilities revealed through the audit, it is highly recommended that most, if not all, security controls suggested be implemented within 1-3 months of this assessment. Because of the low cost and feasibility of the recommendations, TCC West Campus would benefit from the various improvements proposed throughout the campus. Also, an annual reassessment of these threats and vulnerabilities is recommended to assist with the nature of technology and the evolving threats that arise from them.

More Related Content

IT-Audit C&A

  • 1. 11/30/2015 IT Audit Tulsa Community College West Campus Administrator IAN LEWIS, JOEY TRAN, MANG SUM, SUSAN STEWART, ANDREW BABB
  • 2. 1 IT Audit Table of Contents Executive Summary……………………………………………………………………………….2 Social Engineering………………………………………………………………………………...3 Tornado……………………………………………………………………………………………4 Loss of Power……………………………………………………………………………………..4 Software Updates………………………………………………………………………………….5 Active Directory…………………………………………………………………………………...6 Malicious Internal Access…………………………………………………………………………8 Unauthorized Physical Access…………………………………………………………………….9 Environmental Threats…………………………………………………………………………...11 Malicious External Access……………………………………………………………………….11 Loss of Hardware………………………………………………………………………………...12 Summary Statement……………………………………………………………………………...14
  • 3. 2 IT Audit Executive Summary Tulsa Community College, TCC, is a multi-campus higher education institution. The goal of TCC is to provide education to a diverse student body through various means of instruction. Because TCC does run a multiple campus college, their technology infrastructures and security concerns are centralized. Yet, each of the individual campuses do have on site controls particular to themselves. Since these campus operate somewhat independently, we have chosen to focus on the TCC West Campus for our project. Although the West Campus does have many positive security preventions and policies set in place, we have found important deficiencies that could be immediately improved with little or no costs involved. The major deficiencies that we found include the following areas; Social Engineering, Tornado, Loss of Power, Software Updates, Active Directory Services, Malicious Internal Access, Unauthorized Physical Access, Environmental Threats, Malicious External Access, and Loss of Hardware. In conclusion, it is recommended by the team that the security measures suggested within this audit be implemented during the current budget year. Since some departments throughout the college struggle with spending, it is important to introduce these controls, early, to help assist with financial anxieties that the current State of Oklahoma is dealing with.
  • 4. 3 IT Audit Social Engineering A successful attempt in Social Engineering results in giving up sensitive information such as student ID, Date of Birth, Pin Number, E-mail, and Password. Sometimes, even, directing and exposing internal network structure to hidden or critical systems. Using Social Engineering to gain knowledge of how the network is set up can lead to having the authentication for that system. With that authentication, the hacker can easily harm and ruin the reputation of Tulsa Community College. Harming can include downloading sensitive information such as personal information, or deleting the entire database. Risk Mitigation and Loss Expectancy A security awareness training program must be implemented and launched to assist in preventing social engineering attacks. If people know what form a social engineering attack is likely to take, they will be less likely to fall victim to one. Tulsa Community College also must perform penetration testing using social engineering techniques. This will allow security teams to know which users pose a risk and can take steps to remediate that risk. Recommendation The security awareness training program must continue every 3 months. Using Social Engineering Toolkit (SET) is a useful tool to create social engineering attacks. Occasionally, penetrate using social engineering techniques. Based on the results, the duration of the program and penetration testing must be adjusted. If the result scores are higher than expected, then the continually use of security awareness training program and penetration testing must be introduced more frequently.
  • 5. 4 IT Audit Tornado Tulsa Community College buildings are built to withstand a Tornado. But, it does not guarantee the safety of the staff, students, and equipment. Therefore, a lack of Emergency Plan potentially threatens the safety of staff, students, and equipment in case of Tornado. The Emergency Plan must be written in detail of the emergency procedure. Risk Mitigation and Loss Expectancy As with any threat, there is the possibility of actual loss. The loss associated with this particular threat would be the actual cost of the buildings and the assets. The natural threat of Tornado occurs about three times annually. That leads to an Annual Rate of Occurrence (ARO) of 3. The Single Loss Expectancy SLE from this threat of tornado is projected to be $1,000,000. The value of SLE doesn’t reflect the true value of the assets. The Annual Loss Expectancy ALE is calculated to be (SLE * ARO) = $3,000,000 (estimated figures.) Recommendation When considering the present stage of the system, we recommended that you follow up and implement all the recommendation we have provided. However, this is just the conditional: by implementing the recommendation, we believe that the functionality, efficient and security should be measure up the standard of regulation and procedure. Loss of Power A loss of power would result in a loss of access to computers and files stored on the cloud or locally. A short term loss of power would lead to a temporary interruption of business activities and cancellation of classes on the campus. Because power is required for classes to run and for
  • 6. 5 IT Audit business activities to continue, an extended outage would result in the campus closing for an extended period of time. Risk Mitigation and Loss expectancy The annual loss expectancy for the TCC West Campus would be low. Since the campus is not the main source of income for Tulsa Community College, the annual loss expectancy will be low. The Average rate of occurrence for a loss power is estimated at twice per year. Recommendation Although the loss expectancy is low for a loss of power of the campus, it is important for the college to maintain power to their systems at the campus. Previous power outages at other campuses have ranged from a few minutes to a few hours. TCC West Campus should have a UPS for the network and servers. The school should also have a UPS system for the administrative computers, if not all the computers on the campus. The computers should have a shutdown time set at 45 minutes to give enough time for to save and back up any files. The network and servers should have a shutdown time set at two hours to provide a large enough window for power to be restored and allow users to access data without much downtime. Software Updates Maintaining software updates are a key factor in maintaining security throughout the system at TCC. If the computers, servers, and firewall servers are not kept up to date, TCC West Campus can be left vulnerable to attacks and malware. Most activities at TCC are done online now. TCC has a system center configuration manager (SCCM) that is used to provide patch management and software distribution. The SCCM at TCC West has been down, therefore, there is no simple
  • 7. 6 IT Audit and centralized system to update software and patch the computers. Consequently, a lack of process for updating software is a potential threat that can compromise the security of not only the campus, but Tulsa Community College’s entire system. Risk Mitigation and Loss Expectancy Failure to properly maintain software updates can range from a low loss expectancy to a high loss depending on the software that needs to be updated. If security updates are not applied, there will be a high loss expectancy. A small update such as iTunes or the latest version of Adobe PDF reader would have little to no loss related to it. Recommendation It is recommended that Tulsa Community College West Campus get the SCCM up and running. Having the SCCM updated will make it efficient and will ensure that all computer systems are consistently updated. Updating the software will mitigate the risks of having unpatched software. The threat of hacking is made more difficult by keeping software patched and updated, and, thus, lowering the potential chances of having a system breach. Active Directory Services The failure to properly maintain an Active Directory can potentially produce an insecure operating environment for the network of the TCC campus. Having the Active Directory maintained is crucial to ensuring that users in the domain have access to only the resources and information that is required of their respective level in the organization, as it should be based on the principal of least privilege. In addition, individuals who are no longer associated with the organization should have their respective rights reviewed, configured, and/or disabled under the
  • 8. 7 IT Audit management of Active Directory so as to not provide unauthorized access into the system. This system contains multiple entities of sensitive and personal data that can potentially be exposed and compromised due to unauthorized access granted by failure to properly maintain the Active Directory. The potential of unauthorized access to the system due to an improperly maintained Active Directory may lead to malicious system attacks, which may cause system downtime and/or outage. Unauthorized access of an administrative level account due to improper maintenance of Active Directly may lead to malicious attacks on Active Directory itself, including the Domain Controller. Risk Mitigation and Loss Expectancy In order to properly mitigate the risk of a compromise of the system due to Active Directory, a combination of controls and policies are needed. An individual must be assigned to manage and review inactive accounts of individuals who are not associated with the organization. A common method used should be to review accounts older than a specified age if they exist and aren’t already disabled, review the account, and take the appropriate action. An example would be to select an account, review the student and/or individual’s status with the organization, and if they are no longer associated or attending, then configure the account to be disabled so that no further access is granted. As our team was able to access the campus network and resources via logins over a year old from previous student access while attending the campus, this is where our main focus lies in regard stop mitigating risk via Active Directory. Recommendation In addition to having implemented a policy and control for maintaining an up to date and secure Active Directory, the organization must also account for the personnel and time resource needed to maintain the control. The individual responsible for maintaining the control will review and
  • 9. 8 IT Audit configure unused accounts and should maintain a history or log of all changes made to what accounts and when the changes were made. This will not only serve as documentation for the organization, but will also allow for a trail to be followed in the event of an audit. Due to the nature and flux of mainly student statuses in the organization, that this control should be reviewed at least once every week to maintain secure and updated Active Directory user groups and accounts. Malicious Internal Access Malicious Internal Access is one of the most understated threats when it comes to securing an organization’s information assets and it is no different for the TCC West Campus. An insider threat can allow for a loss of extremely sensitive company information and assets. As previously reviewed in the Active Directory control, the on-going issue of properly maintaining the Active Directory can allow for increased threat potential of malicious internal access. Risk Mitigation and Loss Expectancy There is an enormous amount of trust (or lack of awareness) to any system administrator if an internal person decided to maliciously access any data while employed by TCC, or even after termination, if the proper policy is not followed to terminate access following unemployment of an administrator. In addition, access to a terminal to pursue malicious internal access is complemented by the lack of control over unauthorized physical access. Recommendation In order to properly implement risk mitigation for Malicious Internal Access, a number of measures can be taken. Firstly, an indirect method of risk mitigation is correcting the Active
  • 10. 9 IT Audit Directory maintenance security control. This ensures that no user has more access than needed to any confidential data and ensures that the discontinuation of access is implemented. Another method, is to deploy a software solution that allows for active monitoring and remote control of user sessions and access, and reports live monitoring data of any suspicious activity. Multi- person access authentication can also be implemented in order to reduce the risk of any one individual obtaining access to data that is not pertinent to their position and to increase awareness of such attempts. This software implementation, when properly configured, will also increase available logs and documentation in the event of an incident for inside and outside risk assessments and/or audits. Unauthorized Physical Access When main school hours are not in session, the TCC West Campus’ policy is to have most of the building’s doors locked and access is not permitted. This policy is currently maintained by having a selected security personnel travel to each entrance or doorway and manually lock the doors and entrances. At this time, there is no way to verify that every door was locked to provide security in the buildings to which access should not be granted. Our main focus was on this risk, as our group performed a check of this policy and found that we were able to access a building that was not supposed to be accessible to personnel via an unlocked door. This risk not only allows for property to be stolen, but any sort of documentation that is potentially not properly secured or information that is exposed can be at risk of theft. In addition, a single unauthorized access point can allow for multiple access points to become accessible, furthering the potential damage and security concern.
  • 11. 10 IT Audit Risk Mitigation and Loss Expectancy In order to address loss expectancy, we must review the potential controls that can be implemented and the damages from a security incident. The cost could range from a few hundred dollars to multiple thousand depending on the security control implemented. An implementation of extra personnel rounds, cost of time, and wages must be accounted for. If an electronic system was implemented, the cost would be multiple thousands for the purchasing of equipment, maintaining software, training time and expense, and implementation testing that would all require additional time and training. A security incident involving unauthorized access would potentially risk a loss of physical assets including any documentation that may have FERPA regulations attached to it, creating additional incident exposure and possible penalties. Recommendation In order to properly mitigate this exposed security control, a number of measures can be taken. The doors are all manually controlled to be locked or unlocked and each individual door is separate from all others, and must be individually addressed when this policy is in action. A possible solution is to implement and maintain an electronic locking control system on all of the doors on the campus that can be centrally maintained. With such a system it would be possible to centrally control the securing of doors and access points and an ability to verify that the doors that need to be secured are indeed locked. A second possible option is having multiple personnel making the checks on doors, verifying that they are locked, and reporting back with the status of the securing of doors and access points. Although this method is more cumbersome and time consuming, it is also less expensive and easier to implement with a change of policy. This will allow for extra safeguarding against potential quality control failures in securing the campus.
  • 12. 11 IT Audit Environmental Threats Environmental threats may occur due to accidents or unexpected changes in the environment. The impact of an environmental threat, specifically fire may include destruction of information technology assets and enterprise premises. Risk Mitigation and Loss Expectancy The loss associated with the threat of fire is the building structure and the contents. The building that houses the computer lab is equipped with a fire suppression sprinkler system which is water based. Any instance of fire in the computer lab will result in a total loss of assets. The ALE is calculated to be 1% * 3,000,000 SLE = $300,000 Recommendation Re-evaluate the computer lab fire protection system and have the system re-fitted with a Halon type system Malicious Outsider Threats An outsider threat occurs when someone outside your organization seeks to gain protected information by infiltrating and taking over the profile of a trusted user. A malicious outsider depends on the weakness in the authentication process, which is the result of human error. People, process and technology help to reduce the vulnerabilities that exist in products, software and technologies.
  • 13. 12 IT Audit Risk Mitigation and Loss Expectancy The more commonly used a program is the bigger target it represents and the more likely it is that vulnerability will be exploited. Existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. Most software companies release patches for download. Contact software vendors to receive updates, patches or vulnerability alerts. Patch all devices to prevent the vulnerabilities that exist in products, software or technologies from malicious outsider threats. There are no costs associated with updates, patches or alerts. Recommendations Prevent any vulnerability that exist and routinely monitor anti-virus software for updates and install the updates as recommended. Loss of Hardware Loss of hardware may occur due to environmental damage or theft of hardware from the premises. The loss of, or damage to hardware will have an immediate impact, which may affect the institutions staff and student body. Risk Mitigation and Loss Expectancy Loss of hardware may occur due to environmental damage or theft of hardware from the premises. The loss or damage to hardware will have an immediate impact, which may affect curricular activities. The system units at all workstations are vulnerable to theft. The system units are attached under the desks with a sliding bracket. The ALE is calculated to be 10% * 600 SLE = $60.00
  • 14. 13 IT Audit Recommendations Purchase and install Byte Brothers Loc Kit 1. This is an industrial adhesive kit. The peel-and- stick security system provides asset control and prevents theft. There are many other options available, but this particular kit is the most cost efficient solution. The Loc Kit can be for purchased for $19.10.
  • 15. 14 IT Audit Summary Statement After reviewing all the threats and vulnerabilities revealed through the audit, it is highly recommended that most, if not all, security controls suggested be implemented within 1-3 months of this assessment. Because of the low cost and feasibility of the recommendations, TCC West Campus would benefit from the various improvements proposed throughout the campus. Also, an annual reassessment of these threats and vulnerabilities is recommended to assist with the nature of technology and the evolving threats that arise from them.