risk assessment case study

One Day Workshop on Risk Assessment conducted for (ISC)2 Chennai Chapter

Right Place Right Time Solutions Practical Implementation of an NIST SP 800-30 Risk Assessment

Praveen Joseph Vackayil, Deepak Umapathy

11/21/2014

DISCLAIMER: This case study is entirely a work of fiction, created with the intention of demonstrating the implementation of a formal risk assessment. All company and people names used are fictitious and are products of the authors’ imagination. Any resemblance to any entity, organization or person, living or dead, is unintentional.

1 One Day Workshop on Risk Assessment conducted for (ISC)2 Chennai Chapter

Right Place Right Time Solutions: A Risk Assessment Odyssey

History Right Place Right Time Solutions is an IT services company based in Siruseri, Chennai. They are primarily an

application development services provider with a small yet loyal client-base located in the US. Right Place was

started in 2006 by two Crescent Engineering College alumni, Anup Kumar and Jeff Antony. While in college, both

lads used to actively work on elance.com, rendering application development services to US projects. Once they

finished their B.E, they wanted to take their passion for coding to the next level. They started Right Place in a small

2BHK on OMR. Jeff was to serve as CEO, while Anup was appointed COO and CTO.

A strong network of contacts built over years of working on elance.com led to their first client – a leading bank in

the US. They needed an application for employees to submit corporate card expenses, and Right Place was the

chosen vendor. As the IT industry in India took off, so did Right Place. They maintained a focussed and niche profile

– outsourced application developers for banking and financial organizations in the US. This allowed them to

showcase their focus on:

Knowledge of how the American banking industry works

Knowledge of American banking laws and regulations

Application development expertise and

Outsourced delivery of services

This focused business model served as an elevator sales pitch in itself. Word spread and by 2010, Right Place had

now added as many as 87 US banks to its client portfolio. The team-size grew to 350+, and the office was now set

on a sprawling 5 acre campus in SIPCOT IT Park, Siruseri. The company developed an informal and result-driven

culture. The employees were mostly BE freshers within the 21 to 25 age group. Dress-code was casual, work hours

were not tracked and employees were encouraged to bring their unique talents into the work-place and grow with

Right Place. The 2009-10 recession was a particularly challenging time for Right Place, but the young leaders (Anup

and Jeff) called a bean-bag board meeting and decided they would showcase to the clients that outsourcing and

more outsourcing was in fact the answer to the current economic climate in the US. The guys managed to pull a

good show and did, in fact, manage to coast through the worst of the recession.

Security Troubles Post the recession, things started to take a turn for Right Place Right Time. American banks started becoming more

and more obsessive about a certain little thing called information security. The Right Place team started

encountering more and more calls from the clients – calls front-ended by newly hired personnel calling themselves

CSOs, CISOs, Risk Manager, etc. The clients were curious about what was happening to their information when it

was handed over to Right Place.

Now of course, the Right Place team was happy to host a client meeting or two, and showcase their cheery campus

to the American clients. However, they started to notice an increase in the number of client audits – audits that did


not seem to go so well. The clients were concerned about Right Place’s overall compliance posture. Terms such as

a Governance Framework, Vulnerability Assessments, Risk Assessments, etc. evolved into common parlance in the

Right Place board room.

Jeff and Anup did their research and understood a few things: the security landscape was fast becoming a pre-

requisite for any organization to operating in the banking sector. Not only were banks emphasizing internal

security, they were ensuring a minimum baseline of security compliance from their service providers as well. MSAs

were revised and clients were becoming more particular about implementing security at Right Place. Somehow,

Right Place had managed to pull through the previous years without any major security incidents. However,

maintaining that status was no longer going to be as simple as doing nothing about it. The first thing Anup decided

was: they needed to hire a security guy. The second was: tell him/her in the least overwhelming way possible that

they need to take Right Place through a complete U turn in terms of its security posture.

CISO Speak Enter Philip Williams. After 9 years in IT and Risk Management, Right Place Right Time was just the challenge that

Philip was looking for. He joined Right Place as Chief Information Security Officer. He reported directly to the CEO,

and was tasked with the following:

Set up an information security and risk management program for Right Place Right Time

Achieve compliance with the applicable regulations, whether it was ISO 27001, PCI DSS, SOX, FISMA, etc.

Philip took a couple weeks to settle into his new environments. Once ready, he called a meeting with Anup and

Jeff. His plans were as follows:

To devise an information security and risk management program, the first step would be to capture the

current posture of the organization. Then he needed to capture the security requirements of each ODC. This

would be based on the sensitivity of the client data handled by Right Place. Philip knew that the best way to

get started on this was a risk assessment. Accordingly, he would be able to achieve the objectives set for him:

o Risk Management Program: The risk assessment would help him identify:

Security requirements of each ODC

Current security posture of each ODC

Risk level of each ODC

The RA findings would help Philip initiate the risk management functions of “treat, terminate, tolerate, and

transfer”. Once the risk is brought down to acceptable levels, all that will be required is maintenance,

monitoring and update of the RA report.

o Compliance Requirements: The risk assessment would reveal the areas where compliance was absolutely

applicable, and those where its applicability could be removed. Based on this, Philip would devise a

compliance management program for Right Place Right Time.

The RPRT Risk Assessment

To set out on his RA journey, Philip met with the following personnel.

Manoj Krishna– Head, Physical Security Administration

Sonia Arora– Head, Project Delivery

Rohit Kumar–Manager, IT Operations


Priya Thomas– AVP, HR

Discussion with Manoj Krishna– Head, Physical Security Administration

The Right Place campus is a 5 acre facility situated in SIPCOT IT Park, Siruseri, Chennai. The site is 5km away from

the Chennai coast-line, and is surrounded on 2 sides by large buildings. The approach road to the site is wide and

well-linked to the main road. Road lighting is provided by the SIPCOT authorities.

Owned entirely by Right Place, the campus consists of 2 Software Development Blocks, each with a capacity of 400

personnel. The campus is operational 24 hours a day. There is one entry and one exit gate at the front. All

employees, clients and visitors use this gate. In addition, a back gate is present at the rear for housekeeping staff

and vendors. The physical security management of the facility is outsourced to a company called RA Security. The

campus is under 24/7 surveillance. Controls applied are as follows:

Turnstiles are installed at the front of each SDB

Access card readers are installed at all critical points – such as CCTV Control Room, Data center, switch room

and at all ODCs.

The campus consists of 60 CCTV cameras as follows:

o 9 PTZ (Pan-Tilt-Zoom) cameras installed at the perimeter gates, as well as at the entry and exit of

each SDB

o 51 Motion based cameras installed at the entry and exit of each ODC

While camera recordings are captured, there is no real-time monitoring of events by a security guard.

CCTV camera health checks are done every quarter. However, owing to a contract related dispute, RA Security

has not done this regularly for the past 1 year.

Access card logs are retained for many years, while camera recordings, retained on a DVR, are over-written

every 45 days.

A 3m high wall surrounds the entire campus with barbed wire fencing on top.

Lights are positioned at the gates to monitor incoming traffic.

Security guards are stationed at each of the three gates and at the entry and exit points of each SDB. In

addition, security guards are positioned at the data center and also at the ODC entry-door if required by the

client.

The campus receives power supply from the Tamil Nadu Electricity Board. There is 1 diesel generator, holding

a minimum of 7000 liters of diesel at any given point. In case of a power black-out, the diesel generator can

power the campus on full load for 2 days. However, there is no back-up for the diesel generator.

There have been instances of incidents and disasters on the campus.

o Torrential rains had led to the campus being inundated at multiple points. Although water has never

entered the buildings, there is no strong safeguard against this, in case of a steady downpour.

o Last year, there was a short circuit in the UPS room, leading to a fire at 2 am. It was not detected

early, since the smoke detectors had failed. Luckily, it was noticed by the on-call security guard and

the fire was contained.

o There have been instances of USB sticks and personal electronic devices being brought inside the

campus and taken out by employees.

There is no secondary site to support business operations in case the Siruseri site goes down.

Discussion with Sonia Arora– Head, Project Delivery


Right Place has nearly 150 banking clients, all located in the US

The services rendered include: Application Development, Testing, Maintenance and Production Support. The

service portfolio is varied for each client. For instance, while Client A might have outsourced the entire SDLC

process to Right Place, Client B might have outsourced the development bit to another vendor (maybe Indian,

maybe located right next door in SIPCOT. ), and the testing bit to Right Place.

Test data for application testing is usually provided by the client. When deadlines loom large, there are

instances when the testers refer to a stored repository of production data which they use as test data.

Code review is a standard procedure that all written code needs to go through, but there have been

challenges in implementing it. Further, secure code review has not been strictly formalized in all instances.

The teams have some awareness on OWASP. SQL Injection and buffer overflow are terms they have

encountered, but there hasn’t been a formal secure coding guideline or a secure coding checklist issued either

by the client or internally within Right Place.

Production support processes function in shifts and help the clients in answering their customers’ queries,

managing batch jobs, etc. They have full access to production data at the client’s side.

The production data can easily be transmitted to the local RPRT domain via copy-paste, printscreen, etc. It can

also be emailed to Gmail and other personal IDs since there is no DLP installed.

Internet is somewhat restricted inside the ODC. While Facebook and Gmail are blocked, other less popular

email or file-share websites are still accessible.

The project manager is responsible for maintaining a list of employees with access to their ODC. If an

employee is shifted to a different project or is leaving the company, the PM should liaise with the facilities

team to revoke their access to the ODC. In some cases, the intimation from the PM to the facilities team was

sent 3 to 7 days after the employee’s last day in the ODC.

Discussion with Rohit Kumar – Manager, IT Operations

The RPRT High Level Network Diagram is as follows:


Right Place has its own data center located in the SIPCOT IT Park campus.

The IT admin team is relatively small, consisting of a 3 member team. They manage servers as well as

network devices.

Networks:

Unique user IDs are available on the firewalls, but the vendor provided username is still active on some L3

switches.

The internet facing firewall’s IOS has not been upgraded since the last 2 years, owing to concerns on the

impact to business productivity.

VA and PT on the network devices have not been done. Ever.

Firewall configuration changes are routed through a change management process. However, the change

implementer and the change reviewer are from within the same team and usually hold similar ranks

within the organization.

The firewall allows clear-text protocols such as Telnet, FTP, etc. They were provided based on business

requirements raised 2 years ago. The CRs are still available, but the IT team does not know if these

protocols are still required.

Nipper reviews of the firewall configs have not been done.

There is no log management, IDS/IPS or File integrity monitor deployed in Right Place. Logs created by

network or system components are stored in their local memory. There no mechanism to consolidate,

review or retain logs.

Servers:

The admins use one common username to access all servers. The password is an “unwritten” truth known

to all the members. The following are the key servers in Right Place:

o Active Directory: The entire company is on the RTRP Domain. Sub-domains and OUs may be

configured if a client requires a dedicated domain for their ODC. In addition, the AD server acts

as the NTP server. It derives time updates from time.windows.com and pushes them to the end-

points. It checks for time synchronization with the source every 60 minutes. If a user’s account is

locked out, he/she will reach one of the server admins via a Helpdesk number. A new and

temporary password is communicated via phone to the user. User is forced to change password

on first login.

o Anti-virus Server: Norton Anti-virus is installed on the environment. The AV server downloads

.dat updates from the vendor’s website and pushes them to applicable end-points. Periodic scans

are configured to run every week. Linux servers have no anti-virus installed.

o Patch Management Server: The environment consists of Windows and Linux servers. The WSUS

downloads updates from Microsoft and pushes them to the individual machines as applicable.

Linux servers are patched on a requirement basis. The last patching activity for Linux was done

14 months ago.

o DHCP server: The DHCP provides dynamic IP addresses as required by desktop and laptop

devices.

Desktop patching is scheduled on weekends. If a system is not switched on, it is captured in the patch

report. But there have been difficulties in following it up to closure.

The IT team is not so much in touch with external sources like SANS or CERT for security advisories.

Desktops and Laptops:

Users are not given admin rights on their desktops. Exceptions do exist, depending on project

requirements.


End of life desktop hard-disks are degaussed and punched.

While users do not have admin rights on laptops, the admin password on their systems is yet another

“unwritten truth” that many are aware of. The IT team has no control over how the laptop is used when

outside the RPRT network.

Discussion with Priya Thomas- AVP, HR

The HR team consists of 5 members taking care of recruitment and termination, employee engagements

and soft-skills training

New hires join either from straight out of campus or as laterals from other organizations.

All employees are required to clear a background verification process in order to continue to work with

Right Place. BG verification is outsourced to multiple vendors within India. Checks for criminal records,

credit limit, employment history, education, etc. are done. The defined SLA is that BG verification must be

completed within 1 month of the date of joining.

Employee engagement and awareness sessions have been conducted in the past, but none have touched

upon the aspects of information security.

With the above information, Philip set out to frame his risk assessment. Multiple follow-up discussions were held,

consisting of visits to various teams, review of system configurations, walkthrough of physical security controls,

etc. Two months later, Philip’s risk assessment report was tabled. Let’s find out how.

risk assessment case study

Technology