Thesis on "Security Self-Assessment Coyote Systems Security Self-Assessment Organization"

Thesis 7 pages (2030 words) Sources: 1

[EXCERPT] . . . .

Security Self-Assessment

Coyote Systems Security Self-Assessment

Organization Description

The company Coyote Systems develops enterprise software applications for the world's leading manufacturing companies. It has development offices in Chicago, Illinois, throughout the major cities of India, and also in London, England. The company was one of the first to develop databases that could be used to manage complex manufacturing processes, and as a result, was able to charge high yearly maintenance fees. These high maintenance fees resulted into significant monthly revenue streams for Coyote and as a result they were able to invest in advanced development technologies. These development technologies include collaborative global development networks where programming projects were completed around the clock. Coyote was one of the first companies to have the ability to have programming projects being completed around the clock, on a 24/7 basis due to this advanced development network.

Security Self-Assessment of Coyote Systems

The security self-assessment completed on Coyote Systems is organized into three major areas. These include management controls, operational controls and technical controls. The management controls area includes risk management, review of security controls, lifecycle analysis, authorize processing audit including certification and accreditation and system security plan. The operational controls of personnel security, physical security and production input/output controls are also analyzed. In addition contingency planning, hardware and systems maintenance, data integrity, documentation, security awareness and training and incident response capability are also analyzed. Finally the technical controls of identification and authentication, logical access controls and audit trails are also analyzed for Coyote Systems. The framework and seventeen subtopics are based on the document Security Self-Assessment Guide for Information Technology Systems (Swanson, 2001). This analysis is organized using the questionnaire included in the Self-Assessment Guide.

Management Controls

Beginning with the risk management assessment, Coyote Systems was found to be in compliance with the majority of factors on the questionnaire pertaining to this specific set of attributes. The company regularly completed audits of its programming data and also replicates potential Denial of Service (DoS) attacks to its development network. Throughout the analysis it was clear that threats from IP-based impersonation of Coyote Systems' own development network nodes had been anticipated yet not completely guarded against through advanced rules- and constraint-based logic in security software. This lack of actual protection against IP-based impersonation and other approaches to spoofing an actual node on the development network is a significant vulnerability the company needs to addresses. Critical data is directly accessible if an IP-based impersonation attack were to succeed. This also significantly puts the entire it system at risk from external attack. Analysis of systems then shows that relative to know threats the risk is contained, yet against more advanced ones, there is lack of sufficient coverage. Coyote Systems has completed a Total Cost of Ownership (TCO) analysis of their security applications and has a business case justifying their spending on incremental security upgrades to better manage the more complex, sophisticated threats. The company has not however integrated these financial analyses into their broader fiscal planning as it is seen as an optional expense.

The second area of management controls, review of security controls, was next assessed. Coyote Systems does random audits of all access points to their development network, investing a significant amount of time evaluating how effective security controls are for its perimeter. There are randomized audits of passwords and identity verification to ensure the roles-based access given to developers globally in fact is being used as intended. Audits are also completed monthly of the network scanning equipment used to evaluate the validity of IP address authenticity. This will help alleviate the potential threats from impersonations of IP address identities and complex approaches being used to break into development networks through IP spoofing algorithms. While monitoring these network scanning equipment and calibration instruments the company has created a quarterly process for evaluating the non-compliance and correction action necessary to bring them into specification. This process is manually based and relies on a series of checklists in the it Department. There is no audit trail from this data however and the corrective action processes are not consistent in their approach; they rely on the expertise of the senior members of the Network Support Team. There is significant room for improvement in the definition of consistent non-compliance and corrective action processes and procedures within this specific area of reviewing security controls. Despite this lack of consistency of noncompliance and corrective action on evaluation of network scanning equipment and instrumentation, system administrators have successfully standardization the continual monitoring of router, switch and gateways they are responsible in their specific development areas of support. The system administrators have in fact defined a consistent process each of them executes every week to ensure the router, switch and gateways are consistently monitored for any potential attempts to break into the developer network. The system administrators have also devised a series of security alerts that are triggered at the IP-level for the more advanced router, switch and gateway systems they are responsible for. These alerts generate a system-wide alert sent to all system administrators of the developer network globally immediately when tolerance of security are surpassed for any device in the network. System administrators have the ability to lock down or even completely isolate one specific node of development systems depending on the severity of the alerts and analysis. This alert process needs to be considered for inclusion across Coyote Systems for potential other security processes as well. It management does have an escalation procedure in place for ensuring corrective actions are effectively implemented over time and audits the results of these responses to potential and actual threats. The it management teams also post trending analysis by threat category, by area of the network, and also by project area in their team meeting rooms so they can see the impact of their strategies over time. Coyote Systems also keeps this data available on dashboards on the it management team's intranet site, only accessible by them and system administrators that report to this organization. This has been a successful strategy for ensuring a high level of adoption of these metrics and is leading to greater contributions to their performance over time. Posting these results has given it management and system administrators the opportunity to see quickly how their security strategies are influencing system performance while keeping it secure. These dashboards have also been effective in determining if remedial action to resolve potential and real security breaches to the network have been effective or not. The causality of their security strategies is an area the it management team is specifically interested in evaluating to see the long-term effects of improving non-compliance and corrective action procedures and initiatives.

Life cycle considerations of the management controls within Coyote Systems are managed by both it and software engineering. Software engineering has extensive experience in the Software Development Life Cycle (SDLC) and provides expertise for security guidance in the phases of initiation, development and acquisition, implementation, operation, and disposal. The objective of this cross-functional effort is to integrate the security concepts of the SDLC into each phase of new software development projects to ensure higher levels of security and compliance are achieved. There is an extensive Engineering Change Order (ECO) process in place for evaluating how each specific operating system, application, and development tools implementation across the development work stay in compliance with the security requirements of the company. By taking these steps to integrate the specific operating system, application and development tools into the development network at a highly secure level the entire it architecture stays in compliance to the corporate-wide security standards. All Requests for Proposals (RFP) to Coyote Systems are required to meet their requirements for security and be in compliance to the broader it architecture requirements as well. In the implementation phase of operating systems, applications and development tools, it and development teams work the most closely together to ensure testing of each application is thoroughly audited to ensure no potential security risks to the company are present. These test results are audited and a certification testing process is also in place and reports back variances to the standards defined. Using the ECO process changes to internal procedures for managing operating systems, applications and development tools is also completed further validating secure use of all new code and internally developed applications. As with the implementation phase, the operation and maintenance phase within Coyote Systems also relies on a high degree of collaboration between it and software development teams. Both teams have authored a system security plan which has been approved by the CEO and the board of directors which includes a fiscal planning component which needs to be integrated into the yearly strategic planning process. The system security plan is the responsibility of the CIO and his staff, and it is updated every six months or in the event of a significant new system going online. When new systems are integrated into the development network the system security plan is also updated to reflect this… READ MORE

How to Reference "Security Self-Assessment Coyote Systems Security Self-Assessment Organization" Thesis in a Bibliography

Related Thesis Papers:

Organizational Behavior and Team Building Case Study

Organizational Behavior and Team Building

In the corporate world today, there is an increasing recognition of the importance of teamwork to help a company achieve its organizational goals. Indeed, the… read more

Case Study 6 pages (1986 words) Sources: 8 Topic: Management / Organizations

---

Human Resource Information Systems Essay

Human Resource Information Systems: Wal-Mart

Identify HRM and business technologies that maximize organizational effectiveness, workforce productivity, and systems integration.

Wal-Mart is one of the powerful retail brands in the warehouse… read more

Essay 5 pages (1523 words) Sources: 5 Topic: Management / Organizations

---

Organizational Development and Change Essay

organizational change and development in the military organization. Globalization and the advancements in the modern technology has had an impact on the organizational structures and processes which means that the… read more

Essay 3 pages (911 words) Sources: 2 Topic: Management / Organizations

---

Security Risk Analysis Essay

Security Risk Assessment for Ajax

Organizational risks

Organizational risks are complex and as a result are difficult to foresee and eliminate than are technical risks. Organizational risks include a wide-ranging… read more

Essay 5 pages (1430 words) Sources: 3 Topic: Business / Corporations / E-commerce

---

Enhancing Systems Security in an Organization Term Paper

Managing Vulnerability With Countermeasures of Physical Security

Managing Vulnerability Using Countermeasures of Physical Security

Organizations are not immune to risks and uncertainties. Risks affect the overall management of operations in… read more

Term Paper 4 pages (1374 words) Sources: 1+ Topic: Management / Organizations

---

View 100+ more related papers  >>