Portfolio Project: Amechi Akpom

Risk Assessment & Security Audit

A NIST-Guided Case Study for “Nsequr Inc.”

This case study illustrates a streamlined risk assessment and security audit for a fictitious company, “Nsequr Inc.”

Guided by NIST SP 800-37 and NIST SP 800-53 frameworks, I address the company's vulnerabilities, focusing on e-commerce operations and adherence to regulations.

The case study covers identifying assets, formulating audit scope and goals, conducting a risk assessment and security audit, proposing crucial security controls, and communicating findings to stakeholders.

Scenario

Company Profile: The company, Nsequr Inc., is a mid-size company that deals in the production and sales of Internet of Things (”IoT”) devices for home automation. Nsequr Inc. operates both in the United States and Europe with an e-commerce platform that allows for purchases from anywhere in the world.

Current Security Status: Nsequr Inc. has been operating without a strong focus on information security and compliance. They lack a formal information security program and do not comply with any recognized security standards or frameworks. Nsequr's online platform is maintained by a small in-house team, who have basic cybersecurity knowledge but no formal training or qualifications. Credit card payments are accepted and processed through the company website and stored in an in-house developed database. Personal data of customers (names, addresses, phone numbers, email addresses, payment information) from the U.S. and Europe are stored on the same server. The company has suffered several minor data breaches in the past that were addressed internally without sufficient incident response procedures.

Key Points for Risk Assessment, Audit, and Recommendations:

  1. Risk Assessment: Conduct a risk assessment considering the lack of formal cybersecurity structure and the previous data breaches. Use NIST SP 800-37's Guide for Applying the Risk Management Framework to Federal Information Systems to categorize the system and select and implement controls.

  2. Security Audit: Perform an internal security audit to identify gaps in compliance, using NIST SP 800-53's Security and Privacy Controls for Federal Information Systems and Organizations.

  3. Recommendations: Based on the findings of the risk assessment and security audit, make recommendations for security controls and regulatory compliance considerations.

Asset List

An "Asset List" is a comprehensive inventory of all of an organization's resources that are valuable to its operation and therefore need protection. This can include data, software, hardware, systems, and physical assets.

The asset list is a crucial component of the risk assessment process, as per NIST SP 800-37, because it allows the organization to identify where sensitive data resides and how it is processed, transmitted, and stored, guiding the appropriate security control selection from NIST SP 800-53.

Information Systems

  • E-Commerce Platform: The platform for online sales, including user accounts and payment systems.

  • In-house Developed Database: Stores customer data and payment information.

  • Customer Relationship Management (CRM) System: Manages interactions with current and potential customers.

  • Enterprise Resource Planning (ERP) System: Manages business processes, including inventory, purchasing, finance, and human resources.

Data

  • Customer Data: Personal identifiable information (PII), such as names, addresses, phone numbers, email addresses, and payment details.

  • Employee Data: Personal details of employees, including names, addresses, social security numbers, and payroll data.

  • Product Data: Details of all products sold by Nsequr Inc., including product specifications, pricing, and inventory data.

  • Business Data: Strategic business information, including marketing strategies, financial data, and business plans.

Hardware

  • Servers: Hosts the e-commerce platform, in-house developed database, CRM system, and ERP system.

  • Computers and Laptops: Used by employees for daily operations and business processes.

  • Network Devices: Routers, switches, and firewalls used for connecting and securing the company's network.

Software

  • Operating Systems: Various operating systems used on servers and employee computers/laptops.

  • Office Suite: Used for various business functions, including document creation, spreadsheets, and email communication.

  • Legacy System - Custom-Built Sales Reporting Software: This end-of-life software is still used in certain aspects of sales reporting and has not been updated or patched in several years due to its discontinued support.

Physical Assets

  • Warehouses: Locations where inventory is stored and managed.

  • Corporate Offices: Houses employees and contains physical IT infrastructure (servers, network devices, computers, etc.).

This list of assets forms the basis for the risk assessment and security audit, with each asset evaluated for potential risks and vulnerabilities. The legacy sales reporting software represents a particular challenge due to its end-of-life status, requiring a specialized approach to mitigate its security risks.

Audit Scope & Goals

In the context of this project, the "Audit Scope & Goals" refer to the boundaries and objectives of the risk assessment and security audit. They set the groundwork for the project by outlining which systems, assets, and processes will be examined and what the project aims to achieve.

According to NIST SP 800-37, establishing the scope and goals is an integral part of the preparatory phase of the risk management process, guiding the subsequent steps such as information system categorization, control selection, implementation, and assessment.

Introduction

This document outlines the scope and objectives of the security audit for Nsequr Inc. The audit is conducted following the standards and guidelines provided by NIST SP 800-53 and NIST SP 800-37.

Audit Scope

The scope of this audit includes all systems, processes, and assets that handle, process, store, and transmit information, particularly customer data and payment information. This scope will include, but is not limited to:

  • E-Commerce platform and related systems.

  • In-house developed database.

  • Customer Relationship Management (CRM) system.

  • Enterprise Resource Planning (ERP) system.

  • Legacy System - Custom-Built Sales Reporting Software.

  • All servers, computers, laptops, POS systems, and network devices.

  • Data including customer data, employee data, product data, and business data.

  • All physical assets, including warehouses, and corporate offices.

Audit Goals

The goals of this audit are to:

  1. Assess Current Security Measures: Evaluate the effectiveness of the existing security controls and procedures in place.

  2. Identify Vulnerabilities: Identify any security weaknesses in the system that could be exploited by potential threats.

  3. Compliance Check: Determine Nsequr's compliance status with major applicable regulations, and identifying any gaps and areas of non-compliance.

  4. Incident Response Evaluation: Assess the company's readiness to respond to security incidents, including data breaches.

  5. Risk Assessment: Identify and assess potential risks to the company's information systems and propose mitigation strategies.

  6. Recommendations: Provide recommendations for improvements to enhance the company's security posture and achieve compliance with applicable regulations.

Conclusion

The findings from this audit will be used to guide Nsequr's security strategy, ensure compliance with necessary regulations, and increase the overall security posture of the company. The primary objective is to protect Nsequr from potential security breaches and non-compliance penalties, while allowing the company to operate securely and effectively.

Risk Assessment

In NIST terms, a "Risk Assessment" is a process of identifying, estimating, and prioritizing risks to organizational operations and assets, individuals, and other organizations resulting from the operation and use of information systems.

As per NIST SP 800-37 and 800-53, the risk assessment process involves understanding the system's operational context, identifying potential threats and vulnerabilities, assessing the impact of potential adverse events, and determining overall risk. The findings from the risk assessment then guide the selection and tailoring of appropriate security controls.

System Categorization

System: Nsequr Inc's Information Systems

Description: These systems include Nsequr’s online platform, in-house developed database, customer data, and payment systems.

Categorization: High-impact system - As per FIPS 199 and NIST SP 800-37, the information system is categorized as 'High-impact', since any loss of confidentiality, integrity, or availability could have a severe adverse effect on Nsequr's operations, assets, or individuals.

System and Communication Protection

Risks: The lack of formal cybersecurity structure, basic knowledge of the in-house team, minor past data breaches indicate a high probability of successful cyber attacks that could result in the compromise of sensitive customer and payment data.

Access Control

Risks: Without proper access controls, there is a high risk of unauthorized access to the system which could result in data theft or manipulation.

Incident Response

Risks: The lack of proper incident response procedures could result in prolonged system downtime and greater data loss in the event of a security incident.

Payment Card Information Protection

Risks: Inadequate protection of credit card information exposes Nsequr to potential financial theft and non-compliance penalties under PCI DSS (Payment Card Industry Data Security Standard).

Personal Data Protection

Risks: Nsequr sells products online to customers in the European Union. Non-compliance with GDPR (General Data Protection Regulation) could lead to significant fines and damage to the company's reputation.

Risk Acceptance

Due to the high impact categorization and the potential for significant operational, reputational, and financial damage, it is recommended that Nsequr Inc. take immediate action to mitigate these risks rather than accept them.

Conclusion

Nsequr Inc. is at high risk due to its lack of information security practices and non-compliance with GDPR and PCI DSS. Immediate action must be taken to implement a robust cybersecurity framework, incident response plan, and meet GDPR and PCI DSS compliance requirements. The steps taken towards risk mitigation should be documented and monitored continuously for effectiveness.

Security Audit

A "Security Audit" is a comprehensive review of an organization's adherence to regulatory guidelines and its effectiveness in protecting its assets. It involves evaluating security controls, processes, and policies, checking for vulnerabilities, and identifying areas of non-compliance.

NIST SP 800-37 recommends security audits as part of ongoing risk management to ensure security controls are effective and continue to be so in a changing operational environment.

The audit was performed using the NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations. The key focus areas of the audit were:

  1. Access Control (AC): There is a significant lack of user authentication and authorization controls. No role-based access controls are in place, allowing any internal user unrestricted access to sensitive customer data and payment information.

  2. Configuration Management (CM): The company does not have a formal process for managing system configurations. Patches and system updates are irregular and not well-documented, leading to potential system vulnerabilities.

  3. Incident Response (IR): The company lacks an incident response plan. Previous minor data breaches were handled without proper procedures, indicating a lack of preparedness for future incidents.

  4. Risk Assessment (RA): There has been no formal risk assessment conducted on the company's information systems, making it difficult to understand the company's risk profile and implement appropriate security controls.

  5. System and Communications Protection (SC): The company's systems do not implement secure communication protocols. Customer data and payment information are transmitted over unencrypted connections, posing a risk of data interception.

  6. System and Information Integrity (SI): There are no mechanisms in place to verify the integrity of data within the company's systems. Data could be altered or deleted without detection.

Based on these findings, it is evident that Nsequr Inc.'s current security posture is significantly lacking. To address these deficiencies, it is recommended that Nsequr Inc. implements a formal information security program, including role-based access controls, regular system updates and patching, an incident response plan, a formal risk assessment, encrypted connections, and data integrity checks. Additionally, the company must work towards achieving compliance with GDPR and PCI DSS to avoid penalties and protect sensitive customer data.

Stakeholder Memorandum

The "Stakeholder Memorandum" is a communication tool used to inform the key stakeholders of the findings from the risk assessment and security audit. It includes key risks identified, critical security gaps, the impact of these findings on the organization, and recommended actions for mitigating the risks.

NIST SP 800-37 suggests that effective communication with stakeholders is crucial for ensuring that security risks are understood and acted upon, and the proposed security controls are effectively implemented.

Subject: Urgent Need for Strengthened Information Security Measures and Regulatory Compliance

Dear Stakeholders,

Following a risk assessment and security audit of Nsequr Inc.'s operations, it's become evident that immediate actions are necessary to improve our security posture and ensure compliance with regulatory frameworks.

Audit Overview

The audit was conducted based on the NIST SP 800-53 and NIST SP 800-37 guidelines, with particular attention to GDPR and PCI DSS compliance. A broad range of assets was considered, including our e-commerce platform, CRM and ERP systems, in-house database, legacy systems, data, hardware, and physical assets.

The absence of a formal information security program exposes Nsequr to a wide range of risks, including potential data breaches and non-compliance penalties. Given our global reach and the diverse markets we serve, it is imperative that we prioritize implementing robust security measures in line with the NIST frameworks.

Critical Findings

Several critical issues demand immediate attention:

  1. Access Control: Our current system lacks role-based access controls, posing significant risks to our customer and business data. Any internal user can gain unrestricted access to sensitive data, including payment information.

  2. Legacy System: Our legacy sales reporting software, which has reached its end-of-life status, continues to play a role in sales reporting. This software has not been updated or patched in several years, leaving us vulnerable to potential security breaches.

  3. GDPR and PCI DSS Non-compliance: Our operations are not compliant with these regulations, posing the risk of substantial financial penalties and reputational damage.

Findings

Other findings that warrant our attention include:

  1. Incident Response: We lack a structured incident response plan, leaving us unprepared for future security incidents.

  2. System and Communications Protection: Our systems do not implement secure communication protocols, risking interception of customer data during transmission.

  3. Configuration Management: Patches and system updates are irregular and not well-documented, leading to potential system vulnerabilities.

Recommendations

To address these risks, we propose immediate action:

  1. Implement Role-Based Access Controls: Enhance security by ensuring that users can only access data necessary for their role.

  2. User Authentication: Implement strong user authentication and conduct regular audits of access logs.

  3. Upgrade or Replace Legacy System: Investigate options to replace the end-of-life sales reporting software with a modern, supported system that meets our needs and maintains data security.

  4. Achieve GDPR Compliance: Implement necessary measures to comply with GDPR, such as data minimization, obtaining explicit consent for data collection, and 'right to be forgotten' procedures.

  5. Achieve PCI DSS Compliance: Implement necessary measures to comply with PCI DSS requirements, particularly encrypting cardholder data, implementing secure systems, and maintaining an Information Security Policy.

  6. Develop an Incident Response Plan: Follow guidelines from NIST SP 800-61 to develop an incident response plan to to identify, respond to, and recover from security incidents effectively.

  7. Secure Communication Protocols: Implement secure and encrypted connections for data transmission, implement firewalls, establish secure network architecture, and ensure all connections are encrypted.

  8. Improve Configuration Management: Regular system updates and patching should be carried out, and a formal process should be established to manage and document system configurations.

My primary objectives are to ensure the protection of Nsequr Inc’s valuable assets, maintain customer trust, and avoid non-compliance penalties. I request your support and cooperation in improving our security posture and regulatory compliance.