IT Security Management: Case Study of TechCom
Question
Brief description of assessment task : This task requires you to demonstrate the ability to conduct an investigation of security management issues in corporate organisations based on a real-life case study as outlined in the background information provided below and write a report.
In your report, you will be required to follow prescribed procedures to evaluate risk levels and the potential impact of threats and vulnerabilities for a real-life organisation.
You will be assessed on your ability to analyse the security requirements and objectives of the organisation as well as the efficacy of the risk management strategies that they’ve implemented.
Background information: Your report should be based on the following real-life case study:
The personal data including the addresses of more than half a million blood donors across Australia was compromised in a massive security breach at the Australian Red Cross that has been blamed on human error.
Following an Australian government enquiry, your security company has been hired to undertake a security analysis in relation to the incident and write a report about cyber security risks.
You can find details of the enquiry at:
https://www.oaic.gov.au/privacy-law/commissioner-initiated-investigation-reports/donateblood-com-au-data-breach-australian-red-cross-blood-service
https://www.oaic.gov.au/privacy-law/commissioner-initiated-investigation-reports/donateblood-com-au-data-breach-precedent-communications-pty-ltd
Based on the findings of the enquiry, your task is to write a report that includes the following:
Assessment 2: individual problem-solving task 2
- A security risk assessment that addresses future cyber security risks, threats and vulnerabilities to the Australian Red Cross blood donor system (these can be technical or business risks).
- A business requirements analysis that assesses future business requirements of the Australian Red Cross, which may include technical, policy, human and governance aspects.
Answer
Executive Summary:The following study is about a real incident related to cyber security which occurred in September 2016 when the personal information of about 550,000 Australian blood donors was released on a website which is publicly accessible. The data was supposed to be stored at servers which are protected by adequate security wall from any kind of external intervention. However, the cyber security was compromised and TechCom which was supposed to maintain and develop the online network based data of Australian Red Cross came under the scrutiny and investigation. The main reason for this particular security breach in data has been discussed in the following study along with some necessary business requirements which are to be considered before carrying out the operations of TechCom. The different types of data breaching techniques that can be used by external threats have been discussed along with some precautions that need to be taken by the concerned authorities to avoid them.
Introduction: Cyber security has become one of the most important aspects which need to be taken care of while carrying out any operations that involve the use of internet and other related assets. Therefore, TechCom needs to ensure a well-protected internet server so that any external threat can be prevented from breaching the cyber security system and cause any damage loss of confidential data. The following study has taken the case of the security breach experienced by the Australian Red Cross Society on September 2016 and has done some analysis associated with the possible reasons of the breach. It has also highlighted some points that must be considered in order to prevent any security threat or vulnerability to the data server in future.
Assessment of the major security threats, risks and vulnerabilities to TechCom an implementation of necessary protection mechanism regarding information security by proper analysis of requirements, plans and policies of IT services
The major issue that was identified with regard to Australian Red Cross data breach incident was the loss of over half a million blood donors’ personal data and information which was posted on a publicly accessible server. According to cyber security experts like Daly, (2018), these kinds of personal data must be stored in a secure internet-based server so that it could be accessed only by the authorized personnel. Moreover, the data must be accessed only at the time of crucial need and after joining the permission of the legal owners of data. There are a number of threats and vulnerabilities to the online-based server stored data and hence necessary precautions must be taken to avoid any kind of risk from external as well as internal sources.
>Security Risk Assessment including threats and vulnerabilities
There are multiple risks associated with the operation of online-based servers that come from both internal and external threats. The most common threat to any online data server is the vulnerability of that server to external hacking (Lattin et al. 2017). There are methods by using which external miscreants can attack the server of any company and steel, publicize or tamper with the data that can potentially be harmful to TechCom and the people associated with it. The Following are some common types of threats and vulnerabilities to TechCom online-based server.
Malware attack: This is a form of external cyber security threat alert-based attack where an external hacker sends some type of malicious program to one or multiple computers connected to a server. As per Martin et al. (2017), some of the Malware attacks that have been found commonly in cyber security world are ransomware, Viruses and adware which are released on the computers in the form of repeated pop-ups followed by some links to click in order to fix those issues. The moment any computer user clicks on those links, it results in the damage to internal programs of the computer or network server.
SQL Injection attack: In case of an SQL injection attack, the attacker injects a malicious program in the computer server with the intention of stealing the data from the server for illegitimate purposes. As described by Tomossy et al. (2017), this is the most effective way of hacking and stealing the data of any protected service as it does not discloses the identity of the hacker and also decipher from secured data information like credit card information and other forms of payment gateways as well as other classified information.
Human error: The human error is not a very common reason for a security breach in online service but it still exists as every employee in TechCom is not skillfully trained to stop any potential threat to the data (Cheng et al. 2017). In case of the security breach that happened with Australian Red Cross, human error was the most prominent reason for the release of personal data belonging to about 550,000 blood donors on a public website. In the statement given by the chief executive of Australian Red Cross blood service, Shirley Park, it was stated that the information of blood donors who donated blood from 2010 to 2016 was left on a development website in a completely unsecured condition. As described by Devereux et al. (2017), it was later found that this was and human error which occurs from the third party which is responsible for the maintenance and development of data and information associated with Australian Red Cross Society.
Business requirement analysis associated with Australian Red Cross case study
Any organization that uses online-based service to carry out its operations and storing its classified data must be very careful about the business requirements and security concerns associated with it. As stated by Williamson et al. (2015), the Australian Red Cross must have its own IT Services Department so that the online servers which are handled by the third party could be overlooked and also handled by the core Team if required occasionally. Following are some of the requirements that could be found relevant to the above-mentioned incident of Australian Red Cross Society and can prove to be helpful in reducing the human error to a significant extent.
Making the portals and interfaces of working servers more user-friendly
It has been often observed that the Computer servers are not very user-friendly and the interface is a very complicated one for the operator. As mentioned by Segall, (2016), the developers of any web-based program or interface of any network server need to take care about the convenience and accessibility of the network as per the preferences of the actual operator. Therefore, the third party vendor that takes care of the maintenance and development of the online assets of Australian Red Cross must ensure that proper amendments are made in the online portal so that the operator does not get confused while using it.
Proper training of the IT operators:
Apart from developing the Software and Hardware Assets of any organization’s online servers, it is important that the employees who are directly involved in handling the networking servers are properly trained so that no worker leaves the development portal unsecured while using it like the way it happened in case of the Australian Red Cross. It has been further opined by Bagot et al. (2016) that the online-based servers must be secure enough so that no external individual or a potential threat can breach the server even if it is left unsecured by the internal users. The necessary updates which are done in any networking server must be included in the syllabus of regular training and development sessions of the employees.
Upgrading the network server security regularly
It is found by many cyber security experts including Herstein et al. (2018) that there are many ways to breach the security of any network based data storage. Moreover, there are new techniques which are invented by hackers every day to compromise with the security of the organizations which have some useful information for them like credit card details and other online portals. Therefore, the cyber security team of TechCom including the third party which protects the online Assets of Australian Red Cross blood donation service must upgrade its security systems regularly and keep a check on the new techniques which have been developed to breach the data security.
Summary
The analysis of the above mentioned case study related to the security breach of data service linked to the Australian Red Cross blood donation services have given some outcomes and stated that the overall security needs to be ensured by maintaining a balance between all the security aspects. The study has described various types of internal and external threats that can cause harm to the online-based server of TechCom along with the specific reason which was responsible for the security breach of the personal information of 550,000 blood donors in Australia and posting them to a publicly accessible website portal. After analyzing the main reason for this security breach, the possible steps that can be taken to reduce the risk of human error and catastrophic consequences associated with it have been discussed.
Reference List
Bagot, K.L., Masser, B.M., Starfelt, L.C. and White, K.M., 2016. Building a flexible, voluntary donation panel: an exploration of donor willingness. Transfusion, 56(1), pp.186-194.
Cheng, L., Liu, F. and Yao, D.D., 2017. Enterprise data breach: causes, challenges, prevention, and future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(5).
Daly, A., 2018. The introduction of data breach notification legislation in Australia: a comparative view. Computer Law & Security Review.
Devereux, P., Paull, M., Hawkes, M. and Georgeou, N., 2017. Volunteering and the UN sustainable development goals: Finding common ground between national and international volunteering agendas?. Third Sector Review, 23(1), p.209.
Herstein, J.J., Springer, J., Anzalone, J., Medcalf, S. and Lowe, J.J., 2018. A needs assessment of infection control training for American Red Cross personnel working in shelters. American journal of infection control, 46(4), pp.471-473.
Lattin, A., Lam, Y. and Hunt, J., 2017. Identifying and managing emerging risks for directors and officers. Governance Directions, 69(5), p.302.
Martin, G., Martin, P., Hankin, C., Darzi, A. and Kinross, J., 2017. Cybersecurity and healthcare: how safe are we?. Bmj, 358, p.j3179.
Segall, A., 2016. Protection of cultural property in armed conflict: treaty ratification and implementation. Commonwealth Law Bulletin, 42(3), pp.455-459.
Tomossy, G.F., Bending, Z.J. and Maluga, P., 2017. Privacy and metadata: The hidden threat to whistle-blowers in public health systems. Ethics, Medicine and Public Health, 3(1), pp.124-134.
Williamson, L.M., Benjamin, R.J., Devine, D.V., Katz, L.M. and Pink, J., 2015. A clinical governance framework for blood services. Vox sanguinis, 108(4), pp.378-386.