risk assessment case study
TRANSCRIPT
One Day Workshop on Risk Assessment conducted for (ISC)2 Chennai Chapter
Right Place Right Time Solutions Practical Implementation of an NIST SP 800-30 Risk Assessment
Praveen Joseph Vackayil, Deepak Umapathy
11/21/2014
DISCLAIMER: This case study is entirely a work of fiction, created with the intention of demonstrating the implementation of a formal risk assessment. All company and people names used are fictitious and are products of the authors’ imagination. Any resemblance to any entity, organization or person, living or dead, is unintentional.
1 One Day Workshop on Risk Assessment conducted for (ISC)2 Chennai Chapter
Right Place Right Time Solutions: A Risk Assessment Odyssey
History Right Place Right Time Solutions is an IT services company based in Siruseri, Chennai. They are primarily an
application development services provider with a small yet loyal client-base located in the US. Right Place was
started in 2006 by two Crescent Engineering College alumni, Anup Kumar and Jeff Antony. While in college, both
lads used to actively work on elance.com, rendering application development services to US projects. Once they
finished their B.E, they wanted to take their passion for coding to the next level. They started Right Place in a small
2BHK on OMR. Jeff was to serve as CEO, while Anup was appointed COO and CTO.
A strong network of contacts built over years of working on elance.com led to their first client – a leading bank in
the US. They needed an application for employees to submit corporate card expenses, and Right Place was the
chosen vendor. As the IT industry in India took off, so did Right Place. They maintained a focussed and niche profile
– outsourced application developers for banking and financial organizations in the US. This allowed them to
showcase their focus on:
Knowledge of how the American banking industry works
Knowledge of American banking laws and regulations
Application development expertise and
Outsourced delivery of services
This focused business model served as an elevator sales pitch in itself. Word spread and by 2010, Right Place had
now added as many as 87 US banks to its client portfolio. The team-size grew to 350+, and the office was now set
on a sprawling 5 acre campus in SIPCOT IT Park, Siruseri. The company developed an informal and result-driven
culture. The employees were mostly BE freshers within the 21 to 25 age group. Dress-code was casual, work hours
were not tracked and employees were encouraged to bring their unique talents into the work-place and grow with
Right Place. The 2009-10 recession was a particularly challenging time for Right Place, but the young leaders (Anup
and Jeff) called a bean-bag board meeting and decided they would showcase to the clients that outsourcing and
more outsourcing was in fact the answer to the current economic climate in the US. The guys managed to pull a
good show and did, in fact, manage to coast through the worst of the recession.
Security Troubles Post the recession, things started to take a turn for Right Place Right Time. American banks started becoming more
and more obsessive about a certain little thing called information security. The Right Place team started
encountering more and more calls from the clients – calls front-ended by newly hired personnel calling themselves
CSOs, CISOs, Risk Manager, etc. The clients were curious about what was happening to their information when it
was handed over to Right Place.
Now of course, the Right Place team was happy to host a client meeting or two, and showcase their cheery campus
to the American clients. However, they started to notice an increase in the number of client audits – audits that did
2 One Day Workshop on Risk Assessment conducted for (ISC)2 Chennai Chapter
not seem to go so well. The clients were concerned about Right Place’s overall compliance posture. Terms such as
a Governance Framework, Vulnerability Assessments, Risk Assessments, etc. evolved into common parlance in the
Right Place board room.
Jeff and Anup did their research and understood a few things: the security landscape was fast becoming a pre-
requisite for any organization to operating in the banking sector. Not only were banks emphasizing internal
security, they were ensuring a minimum baseline of security compliance from their service providers as well. MSAs
were revised and clients were becoming more particular about implementing security at Right Place. Somehow,
Right Place had managed to pull through the previous years without any major security incidents. However,
maintaining that status was no longer going to be as simple as doing nothing about it. The first thing Anup decided
was: they needed to hire a security guy. The second was: tell him/her in the least overwhelming way possible that
they need to take Right Place through a complete U turn in terms of its security posture.
CISO Speak Enter Philip Williams. After 9 years in IT and Risk Management, Right Place Right Time was just the challenge that
Philip was looking for. He joined Right Place as Chief Information Security Officer. He reported directly to the CEO,
and was tasked with the following:
Set up an information security and risk management program for Right Place Right Time
Achieve compliance with the applicable regulations, whether it was ISO 27001, PCI DSS, SOX, FISMA, etc.
Philip took a couple weeks to settle into his new environments. Once ready, he called a meeting with Anup and
Jeff. His plans were as follows:
To devise an information security and risk management program, the first step would be to capture the
current posture of the organization. Then he needed to capture the security requirements of each ODC. This
would be based on the sensitivity of the client data handled by Right Place. Philip knew that the best way to
get started on this was a risk assessment. Accordingly, he would be able to achieve the objectives set for him:
o Risk Management Program: The risk assessment would help him identify:
Security requirements of each ODC
Current security posture of each ODC
Risk level of each ODC
The RA findings would help Philip initiate the risk management functions of “treat, terminate, tolerate, and
transfer”. Once the risk is brought down to acceptable levels, all that will be required is maintenance,
monitoring and update of the RA report.
o Compliance Requirements: The risk assessment would reveal the areas where compliance was absolutely
applicable, and those where its applicability could be removed. Based on this, Philip would devise a
compliance management program for Right Place Right Time.
The RPRT Risk Assessment
To set out on his RA journey, Philip met with the following personnel.
Manoj Krishna– Head, Physical Security Administration
Sonia Arora– Head, Project Delivery
Rohit Kumar–Manager, IT Operations
3 One Day Workshop on Risk Assessment conducted for (ISC)2 Chennai Chapter
Priya Thomas– AVP, HR
Discussion with Manoj Krishna– Head, Physical Security Administration
The Right Place campus is a 5 acre facility situated in SIPCOT IT Park, Siruseri, Chennai. The site is 5km away from
the Chennai coast-line, and is surrounded on 2 sides by large buildings. The approach road to the site is wide and
well-linked to the main road. Road lighting is provided by the SIPCOT authorities.
Owned entirely by Right Place, the campus consists of 2 Software Development Blocks, each with a capacity of 400
personnel. The campus is operational 24 hours a day. There is one entry and one exit gate at the front. All
employees, clients and visitors use this gate. In addition, a back gate is present at the rear for housekeeping staff
and vendors. The physical security management of the facility is outsourced to a company called RA Security. The
campus is under 24/7 surveillance. Controls applied are as follows:
Turnstiles are installed at the front of each SDB
Access card readers are installed at all critical points – such as CCTV Control Room, Data center, switch room
and at all ODCs.
The campus consists of 60 CCTV cameras as follows:
o 9 PTZ (Pan-Tilt-Zoom) cameras installed at the perimeter gates, as well as at the entry and exit of
each SDB
o 51 Motion based cameras installed at the entry and exit of each ODC
While camera recordings are captured, there is no real-time monitoring of events by a security guard.
CCTV camera health checks are done every quarter. However, owing to a contract related dispute, RA Security
has not done this regularly for the past 1 year.
Access card logs are retained for many years, while camera recordings, retained on a DVR, are over-written
every 45 days.
A 3m high wall surrounds the entire campus with barbed wire fencing on top.
Lights are positioned at the gates to monitor incoming traffic.
Security guards are stationed at each of the three gates and at the entry and exit points of each SDB. In
addition, security guards are positioned at the data center and also at the ODC entry-door if required by the
client.
The campus receives power supply from the Tamil Nadu Electricity Board. There is 1 diesel generator, holding
a minimum of 7000 liters of diesel at any given point. In case of a power black-out, the diesel generator can
power the campus on full load for 2 days. However, there is no back-up for the diesel generator.
There have been instances of incidents and disasters on the campus.
o Torrential rains had led to the campus being inundated at multiple points. Although water has never
entered the buildings, there is no strong safeguard against this, in case of a steady downpour.
o Last year, there was a short circuit in the UPS room, leading to a fire at 2 am. It was not detected
early, since the smoke detectors had failed. Luckily, it was noticed by the on-call security guard and
the fire was contained.
o There have been instances of USB sticks and personal electronic devices being brought inside the
campus and taken out by employees.
There is no secondary site to support business operations in case the Siruseri site goes down.
Discussion with Sonia Arora– Head, Project Delivery
4 One Day Workshop on Risk Assessment conducted for (ISC)2 Chennai Chapter
Right Place has nearly 150 banking clients, all located in the US
The services rendered include: Application Development, Testing, Maintenance and Production Support. The
service portfolio is varied for each client. For instance, while Client A might have outsourced the entire SDLC
process to Right Place, Client B might have outsourced the development bit to another vendor (maybe Indian,
maybe located right next door in SIPCOT. ), and the testing bit to Right Place.
Test data for application testing is usually provided by the client. When deadlines loom large, there are
instances when the testers refer to a stored repository of production data which they use as test data.
Code review is a standard procedure that all written code needs to go through, but there have been
challenges in implementing it. Further, secure code review has not been strictly formalized in all instances.
The teams have some awareness on OWASP. SQL Injection and buffer overflow are terms they have
encountered, but there hasn’t been a formal secure coding guideline or a secure coding checklist issued either
by the client or internally within Right Place.
Production support processes function in shifts and help the clients in answering their customers’ queries,
managing batch jobs, etc. They have full access to production data at the client’s side.
The production data can easily be transmitted to the local RPRT domain via copy-paste, printscreen, etc. It can
also be emailed to Gmail and other personal IDs since there is no DLP installed.
Internet is somewhat restricted inside the ODC. While Facebook and Gmail are blocked, other less popular
email or file-share websites are still accessible.
The project manager is responsible for maintaining a list of employees with access to their ODC. If an
employee is shifted to a different project or is leaving the company, the PM should liaise with the facilities
team to revoke their access to the ODC. In some cases, the intimation from the PM to the facilities team was
sent 3 to 7 days after the employee’s last day in the ODC.
Discussion with Rohit Kumar – Manager, IT Operations
The RPRT High Level Network Diagram is as follows:
5 One Day Workshop on Risk Assessment conducted for (ISC)2 Chennai Chapter
Right Place has its own data center located in the SIPCOT IT Park campus.
The IT admin team is relatively small, consisting of a 3 member team. They manage servers as well as
network devices.
Networks:
Unique user IDs are available on the firewalls, but the vendor provided username is still active on some L3
switches.
The internet facing firewall’s IOS has not been upgraded since the last 2 years, owing to concerns on the
impact to business productivity.
VA and PT on the network devices have not been done. Ever.
Firewall configuration changes are routed through a change management process. However, the change
implementer and the change reviewer are from within the same team and usually hold similar ranks
within the organization.
The firewall allows clear-text protocols such as Telnet, FTP, etc. They were provided based on business
requirements raised 2 years ago. The CRs are still available, but the IT team does not know if these
protocols are still required.
Nipper reviews of the firewall configs have not been done.
There is no log management, IDS/IPS or File integrity monitor deployed in Right Place. Logs created by
network or system components are stored in their local memory. There no mechanism to consolidate,
review or retain logs.
Servers:
The admins use one common username to access all servers. The password is an “unwritten” truth known
to all the members. The following are the key servers in Right Place:
o Active Directory: The entire company is on the RTRP Domain. Sub-domains and OUs may be
configured if a client requires a dedicated domain for their ODC. In addition, the AD server acts
as the NTP server. It derives time updates from time.windows.com and pushes them to the end-
points. It checks for time synchronization with the source every 60 minutes. If a user’s account is
locked out, he/she will reach one of the server admins via a Helpdesk number. A new and
temporary password is communicated via phone to the user. User is forced to change password
on first login.
o Anti-virus Server: Norton Anti-virus is installed on the environment. The AV server downloads
.dat updates from the vendor’s website and pushes them to applicable end-points. Periodic scans
are configured to run every week. Linux servers have no anti-virus installed.
o Patch Management Server: The environment consists of Windows and Linux servers. The WSUS
downloads updates from Microsoft and pushes them to the individual machines as applicable.
Linux servers are patched on a requirement basis. The last patching activity for Linux was done
14 months ago.
o DHCP server: The DHCP provides dynamic IP addresses as required by desktop and laptop
devices.
Desktop patching is scheduled on weekends. If a system is not switched on, it is captured in the patch
report. But there have been difficulties in following it up to closure.
The IT team is not so much in touch with external sources like SANS or CERT for security advisories.
Desktops and Laptops:
Users are not given admin rights on their desktops. Exceptions do exist, depending on project
requirements.
6 One Day Workshop on Risk Assessment conducted for (ISC)2 Chennai Chapter
End of life desktop hard-disks are degaussed and punched.
While users do not have admin rights on laptops, the admin password on their systems is yet another
“unwritten truth” that many are aware of. The IT team has no control over how the laptop is used when
outside the RPRT network.
Discussion with Priya Thomas- AVP, HR
The HR team consists of 5 members taking care of recruitment and termination, employee engagements
and soft-skills training
New hires join either from straight out of campus or as laterals from other organizations.
All employees are required to clear a background verification process in order to continue to work with
Right Place. BG verification is outsourced to multiple vendors within India. Checks for criminal records,
credit limit, employment history, education, etc. are done. The defined SLA is that BG verification must be
completed within 1 month of the date of joining.
Employee engagement and awareness sessions have been conducted in the past, but none have touched
upon the aspects of information security.
With the above information, Philip set out to frame his risk assessment. Multiple follow-up discussions were held,
consisting of visits to various teams, review of system configurations, walkthrough of physical security controls,
etc. Two months later, Philip’s risk assessment report was tabled. Let’s find out how.