ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Board of Directors
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, International President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice President
Juan Luis Carselle, CISA, CGEIT, CRISC, Wal-Mart, Mexico, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal Raj, CISA, CISM, CGEIT, CFE. CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Director
Krysten McCabe, CISA, The Home Depot, USA, Director
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich , Australia, Director
Knowledge Board
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Steven A. Babb, CGEIT, CRISC, Betfair, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Background Information
The Problems
Your Role
Your Tasks
Figures
Notes
Questions
Profile
resellers offices
engineering
7
Background Information
What we do
Financials
Org. Structure
Operational
Industry
Products
Sales
8
Background Information
Products
Sales
9
Background Information
Sales
10
Background Information
11
Background Information
Figure 1Code Galore Organisational Chart
What we do
Financials CEO
Org. Structure
CSO VP, Business VP, CTO VP, Human
Finance Resources
Operational
Security
Industry Administrator Accounting Sr. Financial
Dir. Analyst HR Manager
Products Infrastructure
Mgr. Sys. Dev. Mgr.
12
Background Information
Products
Sales
13
Background Information
14
Background Information
15
Background Information
Sales
16
Background Information
Products
Sales
17
Background Information
Products
Sales
18
The Problems Overview
Acquisition
Code Galore is in many ways fighting for its life, and the fact that, four months ago, the
board of directors made the decision to acquire a small software start-up company,
Skyhaven Software, has not helped the cash situation.
Skyhaven consists of approximately 15 people, mostly programmers who work at the
companys small office in Phoenix, Arizona, USA. Originally, the only connection between
your network and Skyhavens was an archaic public switched telephone network (PSTN).
Setting up a WAN
Two months ago, your companys IT director was tasked with setting up a dedicated wide
area network (WAN) connection to allow the former Skyhaven staff to remotely access
Code Galores internal network and vice versa.
You requested that this implementation be delayed until the security implications of
having this new access route into your network were better understood, but the CEO
denied your request on the grounds that it would delay a critical business initiative,
namely getting Skyhavens code integrated into Code Galores.
19
The Problems Overview
Information Security
More recently, you have discovered that the connection does not require a password for
access and that, once a connection to the internal network is established from outside the
network, it is possible to connect to every server within the network, including the server that
holds Code Galores source code and software library and the server that houses employee
payroll, benefits and medical insurance information.
Fortunately, access control lists (ACLs) limit the ability of anyone to access these sensitive
files, but a recent vulnerability scan showed that both servers have vulnerabilities that could
allow an attacker to gain unauthorised remote privileged access.
You have told the IT director that these vulnerabilities need to be patched, but because of the
concern that patching them may cause them to crash or behave unreliably and because Code
Galore must soon become profitable or else, you have granted the IT director a delay of one
month in patching the servers.
20
The Problems Overview
Bots
What now really worries you is that, earlier today, monitoring by one of the security
engineers who does some work for you has shown that several hosts in Skyhavens network
were found to have bots installed in them.
Source Code
Furthermore, one of the Skyhaven programmers has told you that Skyhaven source code
(which is to be integrated into Code Galores source code as soon as the Skyhaven
programmers are through with the release on which they are currently working) is on just
about every Skyhaven machine, regardless of whether it is a workstation or server.
21
The Problems Overview
Code Galore vs. Skyhaven Employee knowledge
Code Galore employees are, in general, above average in their knowledge and awareness of
information security, due in large part to an effective security awareness programme that you
set up two months after you started working at Code Galore and have managed ever since.
You offer monthly brown bag lunch events in a large conference room, display posters
reminding employees not to engage in actions such as opening attachments that they are not
expecting, and send a short monthly newsletter informing employees of the direction in
which the company is going in terms of security and how they can help.
Very few incidents due to bad user security practices occurred until Skyhaven Software was
acquired. Skyhavens employees appear to have almost no knowledge of information security.
You also have discovered that the Skyhaven employee who informally provides technical
assistance does not make backups and has done little in terms of security configuration and
patch management.
22
Your Role
23
Your Role and the Business Units
The focus here is not on a business unit, but rather on Code Galore as a
whole, particularly on security risk that could cripple the business.
Due primarily to cost-cutting measures the CEO has put in place, your
annual budget has been substantially less than you requested each year.
Frankly, you have been lucky that no serious incident has occurred so far.
You know that in many ways your company has been tempting fate.
You do the best you can with what you have, but levels of unmitigated risk
in some critical areas are fairly high.
24
Your Role and the CEO, Ernest Wingate
Mr. Wingates focus on cost cutting is a major reason that you have not
been able to obtain more resources for security risk mitigation measures.
25
Your Role and the IT Director, Carmela Duarte
Code Galores IT director is Carmela Duarte. She has put a system of change control into
effect for all IT activities involving hardware and software.
This system is almost perfect for Code Galoreit is neither draconian nor too lax and
very few employees have any complaints against it.
You have an excellent working relationship with her, and although she is under
considerable pressure from her boss, the CTO, and the rest of C-level management to
take shortcuts, she usually tries to do what is right from a security control perspective.
She is working hard to integrate the Skyhaven Software network into Code Galores, but
currently, there are few resources available to do a very thorough job. She would also
do more for the sake of security risk mitigation if she had the resources.
Carmela has worked with Code Galore since 2006, and she is very much liked and
respected by senior management and the employees who work for her.
26
Your Tasks
You believe that Code Galores (but not Skyhaven Softwares) security risk is well
within the risk appetite of the CEO and the board of directors.
You have a good security policy (including acceptable use provisions) and standards
in place, and you keep both of them up to date.
You have established a yearly risk management cycle that includes asset valuation,
threat and vulnerability assessment, risk analysis, controls evaluation and selection,
and controls effectiveness assessment, and you are just about ready to start a
controls evaluation when you suddenly realise that something more important
needs to be done right away (outlined in The Problem section).
Using the figure 4 template, you need to modify the qualitative risk analysis that you
performed six months ago to take into account the risk related to Skyhaven
Software. The major risk events identified during this risk analysis are shown in
figure 2.
You must not only head this effort, but for all practical purposes, you will be the only
person from Code Galore who works on this effort.
You may find that some risk events are lower in severity than before, possibly to
the point that allocating further resources to mitigate them would not be
appropriate. This may help optimise your risk mitigation investments.
To the degree that you realistically and accurately identify new and changed risk,
you will modify the direction of your information security practice in a manner
that, ideally, lowers the level of exposure of business processes to major risk and
facilitates growth of the business.
Failure to realistically and accurately identify new and changed risk will result in
blindness to relevant risk that will lead to unacceptable levels of unmitigated risk.
COBIT 5 provides tools that might be helpful in determining the best approach
reassessing and prioritising the major risk events, in EDM03, Ensure risk
optimisation.
You must also provide a clear and complete rationale for the risk events, their
likelihood, and impacts (outlined in the section Alternatives With Pros and Cons
of Each section).
Code Galore is in a very difficult situation. Its existence is uncertain, and money is critical
right now.
Yet, this company has opened itself up to significant levels of security risk because of
acquiring Skyhaven Software and the need for former Skyhaven programmers to access
resources within the corporate network.
Worse yet, even if the chief security officer (CSO) in this scenario correctly identifies and
assesses the magnitude of security risk from acquiring Skyhaven and opening the Code
Galore network to connections from the Skyhaven network and prescribes appropriate
controls, given Code Galores cash crunch, not many resources (money and labour) are likely
to be available for these controls.
If an information security steering committee exists, the CSO must keep this committee fully
apprised of changes in risk and solicit input concerning how to handle this difficult situation.
At the same time, the CSO should initiate an ongoing effort (if no such effort has been
initiated so far) to educate senior management and key stockholders concerning the
potential business impact of the new risk profile. (Note: The kind of situation described in
this caselet is not uncommon in real-world settings.)