Security Environment Assessment

Outline

Overview Key Sources and

Participants General Findings Policy / Procedures Host Systems

Network Components Applications Overall Assessment -

Compliance with Policy Next Steps

Overview

ObjectiveBroad sweep to find significant strengths / weaknessesBaseline - not final statement of vulnerabilities

Approach InterviewsReview of system configurationsAutomated assessment tools (GFI)Examined policy, procedures, host systems, network

infrastructure, and some applications

General Findings - Strengths

Linksys Router /Firewall protects the network perimeter Mostly Standardized Intel Platform with an OS, of which

is XP Customer security requirements have positively

influenced security awareness Regulatory requirements dictate due diligence

General Findings - Weaknesses

External (e.g., Internet) access is not restricted i.e.(Filter inappropriate network traffic)

Critical Identified internal systems are not isolated Production systems are not subject to configuration

management Security program lacking key components and scope

necessary to effectively influence all systems Security staff not required but security knowledge and

emphasis lacking technical expertise to perform effective oversight of all systems

Policies not used to guide internal activities Security responsibilities not well defined Available technical features not used to best advantage

Policy / Procedures - Weaknesses

System specific practices not tied to top-level policy User account / password management practices Access control decisions

Workstation policy not clear; basic features not implemented High level policies for internet usage etc… does not exist Procedures well defined for systems not defined Training / user awareness for system specific features not

provided Training / user orientation emphasizes personal responsibility

does not exist Incident detection and response not addressed

General Findings - Weaknesses (cont)

System specific procedures lacking Security not integrated with business processes

Security responsibility for new systems and applications not well defined

Staff lacks technical expertise to effectively influence design of new systems

Policy/Procedures

StrengthsHigh level policy has good componentsTraining / user orientation emphasizes personal

responsibilityProcedures well defined for mainframe systems

WeaknessesSystem-specific practices not tied to top-level policyUser account/password/access practices not consistentNo provisions for incident detection / response

Host Systems

StrengthsPrivileged access limitedSecurity enhancements being implemented on some

systems

WeaknessesAvailable features not used to best advantageTechnical vulnerabilities on many systemsUnnecessary services are availableConfiguration not guided by security policy

Network Infrastructure

StrengthsFirewall/address translator limits external accessRouter filters limit access within the network

WeaknessesNetwork security responsibility not well defined;

configuration not guided by a security policyNo capability for encrypted internal communications,

remote access, or Internet linksDial-up access not well controlled or secured

Applications

StrengthsDevelopment and production environments are segregatedApplication security features are used to restrict access

WeaknessesPassword management practices are inconsistentPersonal accountability is not always maintained

Overall Assessment -- Compliance with Security Policies

Comparison of observed practice with the published “Information Security Policy”

Policy does not influence security configuration / management of non-mainframe systems

Most policy statements have not been implemented consistently across the enterprise

Next Steps

Reaction to vulnerabilities/weaknessesRecommend, prioritize, and implement fixes

Implementation of Internet and remote access solutionValidate design; implement technical fixes, policy, and

procedures

Define network security enhancementsRefine requirements; select and implement solution