OCTAVE-S on TradeSolution Inc.
Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current strategy
TradeSolutions Inc. TradeSolutions Inc. A mid sized company with an office in Sweden Specialized in providing trading solution and surveillance technology for marketplaces, banks. Develops, customize and maintain trading platform ‘TradePro’. Customers access TradePro using the client application to do trading
TradeSolutions Inc. TradeSolutions Inc. 200 local workstations with windows XP running File Server, Web Server, Database Server, MS Exchange 2007 mail server. Production server which hosts TradePro Centrally stored data is located at two different premises (sites 1 and 2) Every employee can access the file server, database server and web server from remote area using VPN
Impact Criteria Reputation: Customer loss >10% Finance: Annual financial loss > 5 Million SEK Productivity: Staff work hours increase > 20% Fine: > 2.5 Million SEK
Critical Assets Code Repository Production Server Mail Server Personal Computers TradePro team Phase1: Asset-Based Threat Profiles
Phase 2: Identify Infrastructure Vulnerabilities Critical IT component
Threats with Highest Impact Code Repository Disclosure of the code o Competitors, hackers (External) o Employees (Internal) High impact on reputation, finance and productivity Production server Interruption or destruction o Competitors, hackers (External) o Internal IT team (Internal) o system problem, power supply and natural disaster High impact on reputation and finance Phase 3: Develop Security Strategy and Plans
Personal Computers Interruption or destruction o Competitors, hackers (External) o System problems and power supply High impact on reputation and finance. Mail Server Disclosure of the messages o Hackers (External) o Developers and internal IT (Internal) High impact on reputation and finance TradePro Team Unavailability of the team due to illness, family problems, retirement, resignation and lay off High impact on productivity and finance Phase 3: Develop Security Strategy and Plans Threats with Highest Impact
Authentication and Authorization (Red) Introduce Role based authorization scheme as a formal mechanism to restrict unauthorized users to access critical assets. Employees should not be given administrative privileges. The security policy should include the proper procedures to review the access rights of any employee. Internal IT team must take care of these issues Phase 3: Develop Security Strategy and Plans Protection Strategy & Risk Mitigation Plans
System and Network management (Yellow) Formal mechanisms should be defined to enforce Security Policy Access to USB and CD ROMs should be limited Checking the systems to remove any unnecessary software. Implement an auditing mechanism to verify whether the security requirements are met. Introduce new network managing and monitoring tools to reduce the manual labor. Implement a secure system. Internal IT decides and tracks this part. Phase 3: Develop Security Strategy and Plans Protection Strategy & Risk Mitigation Plans
Security awareness and training (Yellow) For all employees Conduct awareness courses. Workshop for new secure system Trainers from inside the company Responsibility of senior management For Internal IT Professional Workshop for new purchased security tools to protect code repository, production server and secure mail server. Trainers from outside the company Responsibility of security manager Phase 3: Develop Security Strategy and Plans Protection Strategy & Risk Mitigation Plans
Next Step Adequate funding should be allocated. Senior and security management supervision is needed. Security courses should begin just after the deployment of new tools and implementation of authorization policies. Conduct OCTAVE-S six months after the completion of general security awareness courses for all employees.