Sensitive HR department hard copy files found in
Budget and Management department
HR soft copy files can be accessed by
President's assistant
Sensitive emails from customer loan department
being sent in within intranet in plain text
Sensitive emails from loan default department
being sent to outside legal firm.
Backups are performed weekly on magnetic tape,
are not encrypted but stored in a secure vault
Some departments have Norton antivirus and some
have McAfee.
Some departments have latest antivirus updates
and some do not.
Audit trail and transaction logs are monitored
weekly and usually Friday afternoon.
Customer data server with sensitive information
is now positioned in public view outside President's office
Not all networks and subnets have firewalls to
restrict flow of information incoming and outgoing.
All computers running UNIX and Windows NT or
2000 are tested with Webenforcer.
Tripwire is used to verify file and system
integrity and in particular for servers, routers, switches and web pages.
You have 45 minutes to complete the following
Review the list of data security observations
Make comments about each observation - for
example, whether this is a serious problem, or not so serious, whether you
would give this a priority or not, whether you would have to wait for
availability of funds or not, etc.
List what assets are vulnerable and what the
potential impact on the organization if the assets were compromised.
What are the threats tot he confidentiality,
integrity and/or availability of the assets.
How could the threats be exploited?
What means might an intruder use?
What motive might the intruder have?
How could you protect against the threats?
From a Risk-Management point of view what would
be the expected loss?
What other observations or comments would you
like to make?