IT Security

1
IT Security

• Julie Schmitz
• James Mote
• Jason Tice

2
Agenda

• Overview of basic IT security
• Human Resources Command-St. Louis
• Inside Financing
• Recommendations and Best Practices
• Closing and questions

3
IT Security Defined

• Broadly speaking, security is keeping anyone
  from doing things you do not want them to do to,
  with, or from your computers or any peripherals
• -William R. Cheswick

4
IT Security Overview

• Intruders - hackers and crackers
• Insiders fraud case at Financing
• Criminals
• Online Scam artists
• Terrorists

5
IT Security Overview

• Hacker
• Person who enjoys exploring the details of
  programmable systems and how to stretch their
  capabilities
• Hackers tend to view themselves as very
  knowledgeable computer programmers, sometimes to
  the point of arrogance
• True hacker will look for weaknesses in a system
  and publish it

Source FBI Cyber Task Force
6
IT Security Overview

• Cracker
• One who breaks security on a target computer
  system
• The term was coined by hackers around 1985 in
  defense against the journalistic misuse of the
  term hacker
• Tend to never disclose their findings

Source FBI Cyber Task Force
7
Hackers or Crackers?
8
How does a Hacker Effect You?

• Michael Buen and Onel de Guzman
• Both are suspected of writing the I Love You
  virus
• David L. Smith
• Melissa virus author
• Released March 26, 1999
• Caused an estimated 80 million in damages

Source FBI Cyber Task Force
9
IT Security at your Office

• Social Engineering
• Denial of service attacks (DoS)
• E-mail bombs
• Password cracking
• Web spoofs
• Trojan, worm, virus attacks
• Antivirus tools

Source FBI Cyber Task Force
10
Social Engineering

• A con game played by computer literate criminals
• Works because people are the weakest link in any
  security system

Source FBI Cyber Task Force
11
Denial of Service

• Prevents users from using a computer service.
• A type of DoS attack involves continually sending
  phony authentication messages to a targeted
  server, keeping it constantly busy and locking
  out legitimate users
• Ping attacks
• DDoS attacks
• Uses multiple computers to coordinate DoS attacks

Source FBI Cyber Task Force
12
Email Bombs

• A type of denial of service attack
• Email bombs involve sending enormous amounts of
  email to a particular user, in effect, shutting
  down the email system
• Many spammers fall victim to this type of attack
• No need to manually send email downloadable
  programs will do it for you

Source FBI Cyber Task Force
13
Password Cracking

• Involves repeatedly trying common passwords
  against an account in order to log into a
  computer system
• Freely available cracking programs facilitate
  this process

Source FBI Cyber Task Force
14
Web Spoofing

• faking the origin
• The attacker creates a false or shadow copy of a
  reputable web site all network traffic between
  the victims browser and the shadow page are sent
  through the attackers machine
• Allows the attacker to acquire information such
  as passwords, credit card numbers, and account
  numbers

Source FBI Cyber Task Force
15
What Should Have Been Displayed
16
What was Displayed
17
Trojan, Worm, and Virus

• A Trojan program does not propagate itself from
  one computer to another
• A Worm reproduces ITSELF over
• a network
• A Virus, like its human counterpart, looks for
  ways to infect other systems or replicate
  itself (i.e., e-mail)

Source FBI Cyber Task Force
18
Trojans

• Trojans are malicious files masquerading as
  harmless software upgrades, programs, help files,
  screen savers, pornography, etc.
• When the user opens file, the Trojan horse runs
  in the background and can cause damage to the
  computer system (hard drive damage, total access,
  username and password)

Source FBI Cyber Task Force
19
TrojanControl
20
Virus

• A program that replicates without being asked to
• Copies itself to other computers or disks
• Huge threat to companies

Source FBI Cyber Task Force
21
Antivirus Tools

• Any hardware or software designed to stop
  viruses, eliminate viruses, and/or recover data
  affected by viruses
• AV tools refer to software systems deployed at
  the desktop or on the server to eliminate
  viruses, worms, trojans, and some malicious
  applets
• Should be used as part of a security policy

Source FBI Cyber Task Force
22
After the Incident

• Identify means to avoid another attack
• Download latest patches
• Repair compromised systems
• Re-educate users
• Run anti-virus software
• Stay alert for signs the intruder is still in
  your system
• Log traffic data

Source FBI Cyber Task Force
23
Security Budget
24
The Facts on IT Security Budgets

• 62 percent of technology officers feel no
  pressure to increase spending this year
• 40 percent of their budgets will go toward
  preventing existing machinery from breaking
• Systems security tends to go unfixed until proven
  broken
• A simple firewall has become the ultimate
  security commodity
• Dont use ROI to configure IT security budget

Source FBI Cyber Task Force
25
Source Federal Bureau of Investigation /
Computer Security Institute http//www.gocsi.com
- viewed 11/4/2004
26
I.T. SECURITY BRIEF- HUMAN RESOURCES COMMAND ST.
LOUIS
27
Human Resources CommandSt. Louis Historical
Timeline

• First established in 1944 at 4300 Goodfellow
• First known as the Demobilized Personnel Records
  Branch after WWII
• In 1956, moved to its present location, 9700 Page
• In 1971, Reserve Components Personnel Center at
  Ft. Benjamin Harrison merged with St. Louis
• In 1985, Army Reserve Personnel Center (ARPERCEN)
  was formed.
• In 2003, organization was renamed to Human
  Resources Command (HRC)

Source https//www.2xcitizen.usar.army.mil/2xhome
.asp - viewed 11/1/2004
28
Human Resources Command (HRC) St. Louis Overview

• Supports or conducts the Human Resources Life
• Cycle for over 1.5 million customers
• Workforce comprised of over 65 civilians, 30
• Active Guard-Reserve soldiers, 5 Active
• Component soldiers
• Of the military workforce, most officers are
  Majors
• (O-4) most non-commissioned officers are
• Sergeants First Class (E-7s)
• 65-acre facility located off Page Avenue
• Total of Nine Directorates

Source https//www.2xcitizen.usar.army.mil/2xhome
.asp - viewed 11/1/2004
29
Human Resources Command (HRC) Mission Statement

• To provide the highest quality human resources
  life cycle management in the functional areas of
  structure, acquisition, distribution,
  development, deployment, compensation,
  sustainment and transition for all Army Reserve
  Soldiers, resulting in a trained and ready force
  in support of the national military strategy.
• To provide human resource services to our retired
  reserve and veterans.

Source https//www.2xcitizen.usar.army.mil/2xhome
.asp - viewed 11/1/2004
30
Information Assurance Office
Information Assurance Manager
(Rank Major)
IANCO (Rank MSG)
Assistant IAM (Rank CPT)
Civilian (GS-12) Information Tech Sec Specialist
Civilian(GS-13) Deputy IAM
Civilian (GS-11) Information Tech Sec Specialist
Civilian (GS-11) Information Tech Sec Specialist
Source Information Assurance Office, Human
Resources Command, St. Louis
31
Information Assurance Manager Duties
Major Responsible for
Overall IT Security
Captain Drafts Submits Policy
Master Sergeant Verifies Security
Clearances Trng Account Requests
GS-13 Updates Patches ACERT Compliance
GS-12 System Security Authorization
Agreement Networthiness Certification
GS-11 Investigates Computer forensics Backup
for updates patches
GS-11 Backup for Computer forensics Trng
Account Req. Verifies Sec. Clear.
Source Information Assurance Office, Human
Resources Command, St. Louis
32
Information Assurance Defined

• The protection of systems and information in
  storage, processing, or transit from unauthorized
  access or modification denial of service to
  unauthorized users or the provision of service
  to authorized users
• Also includes those measures necessary to detect,
  document, and counter such threats
• This regulation designates IA as the security
  discipline that encompasses COMSEC, INFOSEC, and
  control of compromising emanations

Source Army Regulation (AR) 25-2
33
Information Assurance Organization
Chief Information Officer U.S. Army
Reserve Command
Atlanta, Georgia
Information Assurance Officers- 11 Regional
Support Commands
Information Assurance Officer- Human
Resources Command-St. Louis
Source Information Assurance Office, Human
Resources Command, St. Louis
34
In Order to Gain System Access

• All Military must have a Security Clearance
• Some civilians must have Security Clearance
• Other civilians must have at least a National
  Agency Check (NAC)
• All employees must submit a request for system
  access

Source Information Assurance Office, Human
Resources Command, St. Louis
35
Common End User Problems

• Pornography
• Running Businesses
• Unauthorized use of illegal
• software
• Sharing of logons/passwords

Source Information Assurance Office, Human
Resources Command, St. Louis
36
What Happens If YouGet Locked Out?

• Go to your local Information Mgmt
• personnel assigned to serve your
• directorate

Source Information Assurance Office, Human
Resources Command, St. Louis
37
Main Concerns of IT Security

• Information Security Training
• Purchasing automation equipment
• without authorization
• Computer left on 24/7
• Having a qualified Information
• Assurance Manager that is strict
• Knowledge of the system

Source Information Assurance Office, Human
Resources Command, St. Louis, MO Information
Assurance Officer, 63rd Regional Readiness
Command, Los Alamitos, California
38
Anti-Virus Activity
STOPPED AT GATEWAY
45,000 IN APRIL
STOPPED AT DESKTOP
Source Information Assurance Office, Human
Resources Command, St. Louis
39
Probes and ScansAgainst Network
135,000 YTD
Source Information Assurance Office, Human
Resources Command, St. Louis
40
Computer Security Model

• Bell-LaPadula Model
• Developed by the US Army in the 1970s
• Provides framework for handling data of different
  classifications
• Known as multilevel security system
• One of the earliest and most famous computer
  security models

Source Information Assurance Office, Human
Resources Command, St. Louis http//infoeng.ee.ic
.ac.uk/malikz/surprise2001/spc99e/article2 -
viewed 11/6/2004
41
Information Unable to Obtain

• IT Security Budget
• Business Policy Procedures
• Outsource IT providers information

Source Information Assurance Office, Human
Resources Command, St. Louis
42
Security challenges at Financing from theCIOs
perspective
43
Financing Background Info

• Financing is one of the largest domestic
  providers of inventory floor financing for
  several different industrial channels.
• Recent focus to use IT to reduce business costs
  by processing transactions online.
• IT operates 5 different customer facing
  applications handling in excess of 4 billion
  dollars in transactions monthly.

Source Interview and personal comments from
Financings CIO October 2004
44
Case Study Research Method

• Interviewed CIO to gain their different
  perspectives on IT security and business.
• Interview lasted approximately 2 hours and
  consisted of 15 questions.
• Subsequent discussion based on what CIO said were
  issues of highest concern.

Source Interview and personal comments from
Financings CIO October 2004
45
Most Pressing Security Concerns

• Eliminating bad user practices
• Measures to prevent security breeches
• Ability to quickly recover from security failures
  / breeches
• Impact of compliance with SOX regulations

Source Interview and personal comments from
Financings CIO October 2004
46
Security Specifics

• No specific line item budget amount.
• Security costs are encompassed in other budget
  items, such as system development testing, data
  center operations, etc.
• No dedicated resources focusing solely on
  security.
• Security related activities fall under
  responsibility of existing IT staff.

Source Interview and personal comments from
Financings CIO October 2004
47
Security ChallengesEnd User Security

• Security is a 50/50 proposition. A system can
  be perfectly secure however, if users dont
  properly use the provided security features, then
  there might as well be no security at all.
• -Anonymous

48
End User SecurityTypical Financing User

• Non-technology savvy office clerks and book
  keepers.
• No on-site IT support to maintain individual
  system security.
• Many dealers have Broadband access without
  firewall protection.

Source Interview and personal comments from
Financings CIO October 2004
49
End User SecurityTypical Financing User

• Non-technology savvy office clerks and book
  keepers.
• No on-site IT support to maintain individual
  system security.
• Many dealers have Broadband access without
  firewall protection.
• What is so risky about this???

Source Interview and personal comments from
Financings CIO October 2004
50
End User SecurityTypical Financing User (2)

• Known problems with Spyware and viruses.
• Account reps reported seeing multiple users post
  their username and password in plain view in
  their offices.

Source Interview and personal comments from
Financings CIO October 2004
51
End User SecurityTypical Financing User (2)

• Known problems with Spyware and viruses.
• Account reps reported seeing multiple users post
  their username and password in plain view in
  their offices.
• Poor password selection by users consistently
  cited as one of the top three IT Security issues.

Source Cupps, John How To Identify and Contain
Some of the Information Security Problems Created
By Unique Business Environments
http//www.sans.org/rr/whitepapers/casestudies/666
.php viewed 11/3/2004
52
Password Survey
53
Password Survey

• Sit down if you change your password once a week.

• Put your hand down if your password has both
  letters and numbers in it.

Password Security Level Strong
54
Password Survey

• Sit down if you change your password every month.

• Put your hand down if your password is a NOT word
  in the dictionary

Password Security Level Good
55
Password Survey

• Sit down if you change your password only a few
  times each year.

• Put your hand down if you use the SAME password
  on multiple systems.

Password Security Level Weak
56
Password Survey

• Sit down if you NEVER change your password.

• Put your hand down if your password is simply
  part of your name or username.

Password Security Level Poor
57
Bad Habits are Hard To Break

• Use familiar words, names that can be easily
  guessed.
• Use a password that is too short, therefore fewer
  characters to guess / crack.
• Use the same password on multiple systems.
• Do not change password regularly.
• Share passwords with others.
• Post passwords somewhere around their computer.

58
Need for Strong Passwords

• Todays computers are capable of trying millions
  of word variations per second and often can guess
  a good number of passwords in less than a minute.
• - Rob Lemos

Source Lemos, Rob Hackers can crack most in
less than a minute http//news.com.com/Passwords
Theweakestlink/2009-1001_3-916719.html viewed
10/27/2004
59
Improving Passwords at Financing

• 8 Month project to consolidate and enhance
  application passwords
• Start November 2003, End May 2004
• Completed as a Green Belt project for 2 business
  and 2 IT project managers

Source Interview and personal comments from
Financings CIO October 2004
60
Before consolidation . . .
DB
DB
DB
DB
DB

• 3 applications only required a password with 3
  characters.
• Only 1 application had users change their
  password annually.
• Users could only reset their password by calling
  the support center.

61
After consolidation . . .
Single Sign On

• 5 distinct applications now use a Single Sign On
  process.
• All applications share 1 common authentication
  source and logon process.

62
User Benefits

• Only have to remember 1 password for all 5
  applications.
• Once logged into one application, can jump right
  into other application.
• Navigation of applications is now much easier for
  users.

Source Interview and personal comments from
Financings CIO October 2004
63
The Big Question ???

• Did the project Do The Right Thing?
• -or-
• Did the project Do The Thing Right?

64
Was The Right Thing . . .

• Enabling Single Sign On was the right thing to
  do only when implemented in conjunction with new
  password rules, recommended by IBM
• Password must have been 8 and 12 characters
• Password must have at least 1 number in it.
• Password cannot contain elements of users name,
  company, address, or email address.
• New Passwords must be different from prior 12
  passwords.
• New passwords cannot contain more than 6 repeated
  characters from the last password.
• Passwords must be changed every 90 days.

65
Additional Benefit

• Enhanced applications to allow users to reset
  their password online if they forgot it.
• This eliminated nearly 200 calls per month to the
  application support center.

Source Interview and personal comments from
Financings CIO October 2004
66
Results of Project

• Application security improved through enforcing
  strong password rules.
• Users initially complained about having to
  remember a more complicated password however,
  these complaints were short lived when users
  realized they only had to remember a single
  password for all 5 applications.
• Call center costs reduced by eliminating calls
  from users who had forgotten their password.

Source Interview and personal comments from
Financings CIO October 2004
67
Further Enhancing Security

• IT Department publishes articles focusing on
  security in monthly newsletter to customers.
• Currently considering
• modifying Single Sign
• On system to use
• security key validation.

Source Interview and personal comments from
Financings CIO October 2004
68
Security ChallengesPreventing Breeches

• Technology Use to Enhance On-Line Security
• All user application traffic is transported using
  SSL encryption.

Source Interview and personal comments from
Financings CIO October 2004
69
Encryption Explained
Browser
Server
KEY
KEY
INTERNET
My Credit Card My Address My Phone Number
My Credit Card My Address My Phone Number
Jdhd923k Jdss938jds djdskzyu
70
Safety of Encryption ???

• True or False
• Encryption prevents all third parties from
  intercepting transactions?

71
The Answer is False . . .

• In reality, a third party could determine the
  correct key and decode the encrypted transactions
  if given enough time.
• The time and effort to crack a 128-bit encryption
  key is so large, given the limited strength of
  computing technologies, encrypted data is
  considered security since the costs to crack the
  encryption outweigh the potential gains.

72
IT Infrastructure Security

• IT resources for applications are geographically
  separated across country.
• Applications are run on multiple server clusters.
• If a single server goes down, other servers in
  the cluster can immediately take over the load
  from the down server.

Source Interview and personal comments from
Financings CIO October 2004
73
Application Monitoring

• Impossible to predict when a system breech or
  system outage may occur.
• IT cannot react to a situation until it has
  occurred.
• Staff needs to be informed as soon as possible
  when an outage occurs to reduce downtime.
• Fast disaster reaction time is made possible
  through 24 / 7 application monitoring.

Source Interview and personal comments from
Financings CIO October 2004
74
Application Monitoring (2)

• All applications are monitored by a third party
  software tool run from multiple locations.
• Question Why must the monitoring tool be run
  from multiple locations?

Source Interview and personal comments from
Financings CIO October 2004
75
Application Monitoring (2)

• All applications are monitored by a third party
  software tool run from multiple locations.
• Question Why must the monitoring tool be run
  from multiple locations?
• Answer To insure that the application is being
  monitored even if one of the locations crashes.

76
Key Components of Monitoring

• Monitoring tool confirms that the application is
  up and running and can be accessed by customers.
  Simulates the same actions as if a user connects
  to the application through their own web browser.
• Since the monitoring tool is acting like a user,
  many times it is called a robot.
• Monitoring tool access the application and
  invokes the most frequently used traffic flows
  and transactions performed by users.
• The response time for each traffic flow and
  transaction is recorded.

77
Preventing System Outages

• Each robot reports transaction times to a central
  database.
• A system alarm is sounded if any transaction time
  slows beyond a predetermined limit.
• Slow transactions point to a possible system
  problem that needs to be investigated further,
  possibly caused by a Denial of Service attack, or
  a hardware problem (broken disk, failed
  memory/processor, etc).

78
Benefits of System Monitoring

• Reduce application downtime by proactively
  responding to problems before they cause a system
  outage.
• Allow for High Availability Service Level
  Agreements.
• Quickly determine if reported system outages are
  caused by network connectivity problems as
  opposed to application problems.

Source Interview and personal comments from
Financings CIO October 2004
79
Security ChallengesFraud Prevention

• Currently so much emphasis has been put on
  protecting systems from unauthorized access and
  attack, that many have not considered or made
  provisions for security and fraud issues created
  by valid application users themselves.
• - Financings CIO, 10/2004

80
Primary Fraud Concerns

• Applications do not allow transfer of funds to
  external accounts, minimizing risk of external
  fraud.
• Higher probability of customers trying to
  manipulate data stored in system to their
  advantage.
• Must walk the fine line between respecting the
  customer while not allowing the customer to take
  advantage of the company.

Source Interview and personal comments from
Financings CIO October 2004
81
Application Logging

• All applications log all user activity from Logon
  to Logout.
• Also logged are IP address of computer used for
  access, hostname of system used for access,
  browser type, operating system, etc.
• System transactions such an interest calculations
  and online document requests are also logged.
  Allows for tracking of calculation or processing
  errors in back-end systems.

Source Interview and personal comments from
Financings CIO October 2004
82
Business Intelligence Security

• Logs are stored by username in a separate
  database.
• Current data center capacity allows for live
  storage of more than 2 years of logs.
• Live database allow for on-demand searching of
  any users activity. Database streamlines
  investigation process and reduces call center
  call time.

Source Interview and personal comments from
Financings CIO October 2004
83
Sample Fraud cases from 2004

• Case 1 Fraudulent Payments
• Customer calls to report that their bank account
  has been debited several thousand dollars in
  excess. The caller suspects someone has broken
  into the payment system using their account.

Source Interview and personal comments from
Financings CIO October 2004
84
Fraud Investigation Process

• User calls Support Center to report suspicious
  problem.
• Call center pulls up all of users transactions
  in suspect period.
• Call center and customer identify suspicious
  sessions / transactions, by comparing the system
  log with the customers records.
• If fraud is identified, evidence is sent to fraud
  department for investigation.

Source Interview and personal comments from
Financings CIO October 2004
85
Problems with Fraud Investigation

• Fraud department borrows resources from
  processing department and IT (both support and
  development) to track down error and determine
  root cause.
• When fraud is identified, fraud department
  determines what reparations will be given.
• Fraud investigation has a very high cost.

Source Interview and personal comments from
Financings CIO October 2004
86
Preventing Fraud via Logging

• Transaction activity database allows for 83 of
  fraud cases to be resolved in one call to the
  support center.
• Nearly 65 of suspected fraud cases are not
  fraudulent and are resolved in less than 20
  minutes.
• How does this benefit the company?

Source Interview and personal comments from
Financings CIO October 2004
87
Benefits to Company

• Lower risk, attract additional investment.
• Significant cost savings through minimal fraud
  investigation.
• Increased shareholder and customer confidence.
• Maintain high company image in light of recent
  corporate account scandals.

Source Interview and personal comments from
Financings CIO October 2004
88
Sample Fraud cases from 2004

• Case 1 Fraudulent Payments What happened?
• While a dealers bookkeeper (caller) was on
  vacation in Florida, the dealer owner received a
  call from their account rep telling them about a
  special discount program if they made several
  extra payments that month.
• Consequently the dealership owner logged into the
  payment system, using the bookkeepers username
  and password that were posted in plain view on a
  post-it note on her monitor, and made several
  payments.

Source Interview and personal comments from
Financings CIO October 2004
89
Sample Fraud cases from 2004

• Case 1 Fraudulent Payments Resolution
• Matter was resolved in one 12 minute call to the
  call center.
• Call center rep was able to locate the suspect
  transactions, confirm where and when they were
  made.
• The bookkeeper was able to figure out what
  happened by asking other staff around their
  office who had used her computer while she was
  away.
• No need to escalate case to fraud department for
  further investigation.

Source Interview and personal comments from
Financings CIO October 2004
90
Security ChallengesSarbanes-Oxley Act of 2002

• Sarbanes-Oxley Act Defined
• Federal legislation passed in result of
  accounting scandals at Enron, WorldCom, etc.
• Requires formal documentation of all processes
  where securities are exchanged.
• Process documentation must be audited annually to
  insure it remains current.
• Major changes to business processes may require
  more auditing.
• Nicknamed SOX for short.

91
Initial SOX Challenges

• All five of Financings primary applications were
  identified as exchanging securities and would be
  audited for SOX compliance.
• Initial process documentation difficult to
  complete due to lack of good product
  documentation and staff changes.
• Technical IT staff struggled to produce quality
  documentation that could be used for audit
  purposes. Initially had to borrow resources from
  business units to draft documents.

Source Interview and personal comments from
Financings CIO October 2004
92
Compliance with SOX

• Pros Cons ???

93
Compliance with SOX

• Pros
• Avoid legal action (SOX is a federal law)
• Prevent Corporate fraud
• Insure overall economic stability
• Improve public and shareholder image

• Cons
• Additional auditing tasks
• Increased workload for existing resources
• Additional costs for auditing
• Slower development time

94
Maintaining SOX Compliance

• Ongoing auditing requires further assistance from
  technical staff to verify system behavior.
• SOX auditing is performed by external vendors,
  such as KPMG, to insure compliance.
• Any changes to application requirement review of
  SOX documentation and possible revision, hence,
  increasing time required to make enhancements.

Source Interview and personal comments from
Financings CIO October 2004
95
SOX Costs

• Majority of SOX auditing costs have fallen within
  IT budget, as only IT analysts have full
  knowledge of business processes and how they are
  being technically implemented, which is necessary
  for full documentation.
• Costs for SOX auditing have been fully funded
  while still decreasing ITs annual budget through
  shifting more development and support to
  Financings offshore resources.

Source Interview and personal comments from
Financings CIO October 2004
96
SOX ComplianceLessons Learned

• Project management must allow sufficient time to
  allow for SOX documentation.
• Appoint a SOX owner for each application who is
  responsible for ongoing audits of documentation
  for that application.
• Encourage all team members to think proactively
  about SOX compliance. SOX owners are encouraged
  to include technical staff in their ongoing
  reviews to help develop strong documentation
  skills.
• Edit SOX documentation in an on-going fashion.

Source Interview and personal comments from
Financings CIO October 2004
97
Security Comparison
Topic
HRC
Financing
Budget Information Not Available. No line item budget amount. Security tasks are encompassed with other budget items.
Dedicated Security Resources Dedicated resources responsible for systems and user accounts. Staff from other IT functions also serve to fulfill security responsibilities.
Security Testing Information Not Available. Penetration test is conducted by external vendor annually.
98
Security Comparison (2)
Topic
HRC
Financing
Risk Assessment Risk controlled through maintaining access levels on all users and data. Business responsible for identifying business areas at risk, IT responsible for technical areas of risk
Security Architecture Security practices based on well-known models, such as Bell-LaPadula Model Applications designed in house hence, architecture team defined security framework based on risks
Review Process Annual audits are performed by security officers. Security provisions are reviewed on an on-going basis as part of maintaining SOX docs.
99
Security Best Practice Recommendations

• From HRC
• Password policies
• Firewall in place to discourage illegal sites
• Ensure you have a procedure in place to ensure
  all personnel you let on the network have been
  fully screened.
• Virus protection
• Do Audits

• From Financing
• Use a strong password and change it regularly.
• Monitor / Restrict Internet Access on
  workstations.
• Hire a third party expert to evaluate security of
  systems.
• Keep complete logs / backups for recovery
  purposes.
• Proactively seek new / better security
  provisions.

100
Sources Utilized

• http //archive.ncsa.uiuc.edu
• http//www.itsecurity.com/dictionary.html
• https//www.2xcitizen.usar.army.mil/2xhome.asp
• http//www.acerts.net
• http//www.infragard.net

101
Sources Utilized

• FrontLine-Tips and Techniques to Protect Your
• Information June 2004
• United States Army Reserve Information
• Assurance Office
• Human Resources Command-St. Louis
• Information Assurance Office
• Army Regulation (AR) 25-2, 14 November 2004
• Army Regulation (AR) 25-1, 30 June 2004

102
(No Transcript)