GLOBAL FINANCE, INC. (GFI)
Global Finance, Inc. (GFI) is a financial company that manages thousands of accounts across Canada, the United States, and Mexico. A public company traded on the NYSE, GFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers.
GFI employs over 1,600 employees and has been experiencing consistent growth keeping pace with S&P averages (approximately 8%) for nearly six years. A well-honed management strategy built on scaling operational performance through automation and technological innovation has propelled the company into the big leagues; GFI was only recently profiled in Fortune Magazine.
The executive management team of GFI:
page1image8200 page1image9128 page1image9288 page1image9448 page1image9608
Figure 1 GFI Management Organizational Chart BACKGROUND AND YOUR ROLE
You are the Computer Security Manager educated, trained, and hired to protect the physical and operational security of GFI’s corporate information system.
You were hired by COO Mike Willy and currently report to the COO. You are responsible for a $5.25m annual budget, a staff of 11, and a sprawling and expansive data center located on the 5th floor of the corporate tower. This position is the pinnacle of your career – you are counting on your performance here to pave the way into a more strategic leadership position in IT, filling a vacancy that you feel is so significantly lacking from the executive team.
There is actually a reason for this. CEO John Thompson believes that the IT problem is a known quantity – that is, she feels the IT function can be nearly entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department; the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Since the CEO has taken the reigns two years ago, the CEO has made significant headway in cutting your department’s budget by 30% and reducing half of your staff through outsourcing. This has been a political fight for you: maintaining and reinforcing the relevance of an internal IT department is a constant struggle. COO Willy’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology combined with a diminishing IT footprint gravely concerned Jacobson, and he begged to at least bring in a manager to whom these obligations could be delegated to. Jacobson’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of the information system was compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess.
Executive Assistant Kim Johnson
Vice Presidnet Trey Elway
Executive Assistant Julie Anderson
Executive Assistant Michelle Wang
Director of Marketing John King
page1image33712 page1image34808 page1image35904 page1image37000 page1image38096
CCO Andy Murphy
COO Mike Willy
CFO Ron Johnson
Director of HR Ted Young
GFI has experienced several cyber-attacks from outsiders over the past a few years. In 2012, the Oracle database server was attacked and its customer database lost its confidentiality, integrity, and availability for several days. Although the company restored the Oracle database server back online, its lost confidentiality damaged the company reputations. GFI ended up paying its customers a large sum of settlement for their loss of data confidentiality. Another security attack was carried out by a malicious virus that infected the entire network for several days. While infected the Oracle and e-mail servers had to be shut down to quarantine these servers. In the meantime, the company lost $1.700, 000 in revenue and intangible customer confidence.
There’s no question that the company’s CEO sees the strategic importance of technology in executing her business plan, and in this way you share a common basis of principle with her: that IT is a competitive differentiator. However, you believe that diminishing internal IT services risks security and strategic capability, whereas the CEO feels she can acquire that capability immediately and on the cheap through the open market. You’re told that CEO Thompson reluctantly agreed to your position if only to pacify COO Willy’s concerns.
CORPORATE OFFICE NETWORK TOPOLOGY
page3image512 page3image944 page3image1104 page3image1264
page3image3928 page3image4088 page3image4512 page3image4672 page3image5432 page3image6024 page3image7288 page3image7712 page3image7872
You are responsible for a corporate WAN spanning 10 remote facilities and interconnecting those facilities to the central data processing environment. Data is transmitted from a remote site through a VPN appliance situated in the border layer of the routing topology; the remote VPN connects to the internal Oracle database to update the customer data tables. Data transaction from the remote access to the corporate internal databases is not encrypted.
A bulk of the data processing for your company is handled by Oracle database on a high end super computer. The trusted computing based (TCB) internal network is situated in a physically separated subnet. This is where all corporate data processing is completed and internal support team has its own intranet web server, a SUS server, an internal DNS, an e-mail system, and other support personnel workstations. Each corporate department is segregated physically on a different subnet and shares the corporate data in the TCB network.
Ever since the article ran in Fortune about GFI, your network engineers report that they’ve noted a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information.
Increasingly, GFI’s CEO Thompson attempts to outsource IT competency. In fact, you’ve been told of a plan from COO Willy to outsource network management and security functions away from your department and to a service integrator. COO Willy warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator that can provide secure services at 40% less annual cost than you.
The interrelationship between data and operations concerns you. Increasingly, some of the 10 remote sites have been reporting significant problems with network latency, slow performance, and application time-outs against the Oracle database. The company’s business model is driving higher and higher demand for data, but your capability to respond to these problems are drastically limited.
Mobility is important for the organization to interact with the customers and other co-workers in near real-time. However, the CEO is concerned with the mobility security and would like to research for the best practice for mobility computing. The CEO is willing to implement a BYOD policy if security can be addressed.
Employees enjoy the flexibility of getting access to the corporate network using a WiFi network. However, the CEO is concerns over the security ramifications over the wireless network that is widely open to the company and nearby residents.
The company plans to offer its products and services online and requested its IT department to design a Cloud Computing based e-commerce platform. However, the CEO is particularly concerned over the cloud computing security in case the customer database is breached.
ï‚· Identify and describe the organizational authentication technology and network security issues.
ï‚· Make a list of access points internal and external (remote).
ï‚· Design a secure authentication technology and network security for GFI.
ï‚· Make assumptions for any unknown facts.
ï‚· List all known vulnerabilities you can identify in this environment and address them by proposing a new design. You may use any combination of technologies to harden authentication process and network security measures.
ï‚· Address the CEO’s concern over the mobility security and design a secure mobile computing (smart phones, tablets, laptops, etc.) in terms of authentication technologies and data protection.
ï‚· Identify wireless vulnerabilities and recommend what safeguards, authentication technologies, and network security to protect data should be implemented.
ï‚· Design a cloud computing environment for the company with a secure means of data protection at rest, in motion and in process.
Risk Assessment Paper Rubric
You are given a fictional scenario above describing security issues affecting organizational assets. You will identify the risks associated with the assets, and recommend mitigating procedures. You will prepare a quantitative / qualitative risk assessment to address risk factors on organizational assets. Your final paper will be 15–25 pages long in a Word document and will be graded using the following rubric.
Inventoried, prioritized assets and addressed mission objectives in their asset priority. (10)
Evaluated enterprise topology, perimeter protection measures, and addressed mission objectives. . (10)
Evaluated remote access protocols, security safeguards to the network, and addressed mission objectives. (10)
Evaluated authentication protocols, methodologies with supporting data, description; and addressed mission objectives. (10)
Assigned asset values to organization assets in a complete inventory, and addressed mission objectives. (10)
Assessed vulnerabilities on each asset and impacts if compromised; of complete inventory and addressed mission objectives. (10)
Assessed risk based on probability and its impact discovered on each asset and summarized them. (10)
page5image29376 page5image29536 page5image29696 page5image29856 page5image30016 page5image30176 page5image30816 page5image30976 page5image31136 page5image31296 page5image31456 page5image31616 page5image31776 page5image31936 page5image32096
page5image41776 page5image42200 page5image42784 page5image43208 page5image43792 page5image44216 page5image45808 page5image45968 page5image46128 page5image46288 page5image46448 page5image46608
Inventory assets and prioritize them in the order of mission criticality.
Did not inventory or prioritize assets in the order of mission criticality. (1)
Inventoried assets but did not prioritize them in the order of mission criticality. (3)
Inventoried, prioritized assets, but did not address mission objectives in their asset priority. (6)
page5image52736 page5image53328 page5image53752 page5image53912 page5image54336 page5image54760 page5image54920 page5image55344 page5image55768 page5image57360 page5image57952 page5image58376 page5image58536 page5image58960 page5image59384 page5image59544 page5image59968 page5image60392 page5image61560 page5image61720 page5image61880 page5image62040 page5image62200 page5image62360
Evaluate enterprise topology and perimeter protection.
Did not evaluate enterprise topology and perimeter protection. (1)
Evaluated enterprise topology but did not include perimeter protection measures. (3)
Evaluated enterprise topology, perimeter protection measures, but did not address mission objectives. (6)
page5image67752 page5image68176 page5image68768 page5image69192 page5image69352 page5image69776 page5image70200 page5image70360 page5image70784 page5image71208 page5image71368 page5image71792 page5image72376 page5image72800 page5image73392 page5image73816 page5image73976 page5image74400 page5image74824 page5image74984 page5image75408 page5image75832 page5image75992 page5image76416 page5image77000 page5image77160 page5image77320 page5image77480 page5image77640 page5image77800
Evaluate remote access to the networks.
Did not evaluate remote access protocols and safeguards to the network. (1)
Evaluated remote access protocols but did not address security safeguards to the network. (3)
Evaluated remote access protocols, security safeguards to the network, but did not address mission objectives. (6)
page5image83552 page5image83976 page5image84568 page5image84992 page5image85152 page5image85576 page5image86000 page5image86160 page5image86584 page5image87008 page5image87168 page5image87592 page5image88176 page5image88600 page5image89192 page5image89616 page5image89776 page5image90200 page5image90624 page5image90784 page5image91208 page5image91632 page5image91792 page5image92216 page5image92800 page5image92960 page5image93120 page5image93280 page5image93440 page5image93600
Evaluate authentication protocols and methodologies.
Did not evaluate authentication protocols and methodologies. (1)
Evaluated authentication protocols, methodologies but with insufficient data or inadequate description. (3)
Evaluated authentication protocols, methodologies with supporting data and description, but lacks mission objectives. (6)
page5image99520 page5image100112 page5image100536 page5image100696 page5image101120 page5image101544 page5image101704 page5image102128 page5image102552 page5image103720 page5image104144 page5image104736 page5image105160 page5image105320 page5image105744 page5image106168 page5image106328 page5image106752 page5image107176 page5image107336 page5image107760 page5image108344 page5image108504 page5image108664 page5image108824 page5image108984 page5image109144
Assign asset values to organization assets for quantitative / qualitative risk assessment.
Did not assign asset values to organization assets for quantitative / qualitative risk assessment. (1)
Assigned asset values to organization assets for quantitative / qualitative risk assessment but incomplete. (3)
Assigned asset values to organization assets in a complete inventory, but did not address mission objectives. (6)
page5image116280 page5image116872 page5image117296 page5image117456 page5image117880 page5image118304 page5image118464 page5image118888 page5image119312 page5image120904 page5image121496 page5image121920 page5image122080 page5image122504 page5image122928 page5image123088 page5image123512 page5image123936 page5image125104 page5image125264 page5image125424 page5image125584 page5image125744 page5image125904
Assess vulnerabilities on each asset and impacts if compromised.
Did not assess vulnerabilities on each asset and impacts if compromised. (1)
Assessed vulnerabilities on each asset and impacts if compromised; but incomplete. (3)
Assessed vulnerabilities on each asset and impacts if compromised; of complete inventory but did not address mission objectives. (6)
page5image132552 page5image133144 page5image133568 page5image133728 page5image134152 page5image134576 page5image134736 page5image135160 page5image135584 page5image136752 page5image137176 page5image137768 page5image138192 page5image138352 page5image138776 page5image139200 page5image139360 page5image139784 page5image140208 page5image140368 page5image140792 page5image141376 page5image141536 page5image141696 page5image141856 page5image142016 page5image142176
Assess risk based on probability of compromise and its impact discovered on each asset.
Did not assess risk based on probability of compromise and its impact discovered on each asset. (1)
Assessed risk based on probability and its impact discovered on each asset but incomplete. (3)
Assessed risk based on probability and its impact discovered on each asset but did not summarize them. (6)
page5image153936 page5image154256 page5image154576
page5image158416 page5image159216 page5image159376 page5image159536 page5image159696 page5image159856 page5image160016 page5image160176 page5image160336 page5image160496 page5image160656 page5image160816 page5image160976 page5image161136
page6image5312 page6image5472 page6image6480 page6image6904
page6image9576 page6image9736 page6image11168
Recommend risk mitigation procedures commensurate with asset values.
Did not recommended risk mitigation procedures commensurate with asset values. (1)
Recommended risk mitigation procedures commensurate with asset values, but incomplete. (3)
Recommended risk mitigation procedures commensurate with asset values of complete inventory, but did not address mission objectives. (6)
Recommended risk mitigation procedures commensurate with asset values of complete inventory, and addressed mission objectives. (10)
Formulate 15-25 pages of a quantitative or qualitative risk assessment in APA format.
Did not follow proper quantitative or qualitative risk assessment format, and failed to conform to APA format. (1)
Followed proper quantitative or qualitative risk assessment format but did not conform to APA format. (3)
Followed proper quantitative or qualitative risk assessment format and conformed to APA but insufficient reference list and page count. (6)
Followed proper quantitative or qualitative risk assessment format and conformed to APA in a sufficient reference list and page count. (10)
Executive summary of risk assessment.
Did not include an executive summary. (1)
Included an executive summary but lacks details. (3)
page6image73592 page6image74016 page6image74600
Included an executive summary in details, but did not address the mission objectives. (6)
Included an executive summary in details, and addressed mission objectives. (10)
Project does not have any attached files