Risk Assessment Report On Finance System Of University of San Diego
Question
Task: You are required to prepare a risk assessment report based on the following: Overall Description of the Organization, IT Department, and Scope - System Characterization The University of San Diego is situated in the south-western corner of California. The University offers a variation of degrees, from undergrad to postgraduate such as, masters, doctoral degrees in arts, humanities, natural and social sciences, as well as in professional areas such as business, education, nursing, law, and medical technology. Currently, there are approximately 15000 students attending the University. Due to the ongoing pandemic, a blended learning approach has been put in place for some courses, where both students and lecturing staff occasionally work from home.
In regards to IT and related support activities, the University’s approach is centralised. That is, the University’s computer processing is performed by the IT department, which is the sole provider of technology and telecommunications for the University’s departments. Furthermore, the IT department provides data processing and end-user support for the University’s systems and applications, including training and documentation of application system controls and procedures. The IT department’s organizational structure consists of 35 staff, under the direction of an IT Executive Director. Since the
The scope of this risk assessment is the University’s financial application system. The application is called Banner Finance (“Banner”) and runs on a Red Hat Enterprise Linux operating system.
Collection of Information Relevant for the Risk Assessment
Your co-worker has already began the process of gathering relevant information for the purpose of the risk assessment via reviews and inspections of documentation, as well as on-site interviews with key management personnel. Key management personnel for purposes of this example include:
- IT Executive Director (ITED)
- Banner Security Administrator (BSA)
- Operations Supervisor (OS)
- Systems Administrator (SA)
- Network Administrator (NA)
When interviewing the ITED and the BSA, it was noted that Banner holds critical and sensitive information about finance, accounting, human resources (HR), and payroll. The BSA further added that users of Banner include finance, accounting, HR, and technical/IT support personnel. Based on review of documentation, the University has several policies and procedures in place related to information systems operations, information security, and change control management.
In regards to the network infrastructure, the NA indicated that the University provides a wide variety of networking resources to all qualified members within the university community. Access to computers, systems, and networks is a privilege which imposes certain responsibilities and obligations, and which is granted subject to university policies, as well as local, state, and federal laws. All users must comply with policies and guidelines, and act responsibly while using network resources. In addition, the university also has a Bring Your Own Device (BYOD) policy in place. Both students and staff can bring their own computing devices to the university – whether they are smartphones, tablets, or laptops – however they must comply with the BYOD security policy that’s in place by the university.
Physical access to the University’s facilities and its data centre, according to the ITED and the OS, is restricted through security mechanisms, including (1) biometric devices, (2) security guards, (3) video surveillance, and (4) visitors’ logs. The authority to change the above physical access control mechanisms is limited to the ITED. The OS also stated that the University has implemented various environmental controls in order to prevent damage to computer equipment, and to protect data availability, integrity, and confidentiality. They are as follows: fire suppression equipment (i.e., FM-200 and fire extinguishers), uninterruptible power supplies, alternate power generators, and raised floors.
When asked about logical information security around Banner both, the SA and BSA, agreed on the following:
- Some password settings have been configured although current configuration is not consistent with industry best practices.
- Reviews of user access within Banner are conducted, but not on a periodic basis. Terminated user accounts are removed from Banner, but not in a timely manner. Documentation supporting reviews and removal of user access is not maintained.
- Programmers are restricted to work changes and modifications (i.e., updates and upgrades) to Banner in a test/development environment prior to their implementation in production. However, test results are not reviewed by management (i.e., ITED) nor approved before final implementation in production.
- Lastly, Banner information is backed up daily though the OS stated that such daily backup is stored locally as the University has no offsite facility in place for backup storage.
Answer
Introduction to Risk Assessment Report
The University of San Diego keeps a large database of the stakeholders’ sensitive and valuable information. The organization has the basic security measures for protecting that information from cyber threats or other forms of attacks to their information system. The existing measures, however, are incomplete and not necessarily competent for compete information assurance. Risk assessment is imperative for such large entities with sensitive and confidential database for continuing business. Since the university maintains general information system framework, the NIST risk assessment guideline may help them in the best possible way to get rid of potential threats. In this paper, the threats to the university’s finance system, which is named as ‘Banner Finance’ have been analysed.
Since the finance unit comes under the key information security infrastructure, the NIST Risk Management Framework (RMF) may offer the easiest possible guideline for effective security assurance. The RMF involves seven crucial stages as described by the authority of NIST. These are – Preparation, Categorization, Selection, Implementation, Assessment, Authorization, and Monitoring respectively (Dionne, 2018). All of these controlling measures relate to the security of the information present in the database. The framework is more appropriate for the organization concerned because of the integrated risk management guideline it provides. It integrates privacy of information, security of the information system, and risk management actions in the cyber supply chain environment. This comprehensive approach throws lights on the selection of controls and customized measures for security based on the potentials, advantages and disadvantages determined by the relevant standards, legality, policies, regulations, and orders (Dionne, 2018). This RMF framework helps in any kind of information system environment as in an Inter of Things (IoT) environment, cloud-based or off-site application-based environments, and physical environments etc. The university allows the Bring Your Own Device (BYOD) for the students and staff. Thus, the NIST framework for security and risk assessment will suit the purpose of the entity.
IT system Characterization
The University of San Diego has a huge strength of over 15,000 students in the various departments of learning they offer. Naturally, they had to maintain an information system or digital solution for keeping the clerical procedures easy and time-saving. However, the pandemic, like in any other industry, has impacted the university learning systems as well. Thus, the present information ecosystem of the organization involves remote learning facilities for students too. However, the confusions in risk management measures, and the potentiality of threats in concern apply for the university’s financial system. The financial processing and information governance relies on an application-based solution named Banner Finance. This application works under the Linux Operating System of Red Hat Enterprise. In general approach to the activities and risk management process and control, the information system of the university is centralized. A single dedicated department with Information Technology experts looks after all the key processing of the university’s information system. The IT department provides necessary digital and telecommunication facilities to the other departments of the university. Naturally, the security, access and authentication control, risk and threat prevention all are the responsibilities of the IT department solely.
The IT department consists of 35 employees, working under the direction of the IT Executive Director (ITED). Other prominent managerial or administrative representatives are the Banner Security Administrator, Operations Supervisor, System Administrator, and Network Administrator. The organizational structure of the finance department security is thus, generic with a line of management followed by some employees and the Executive Director at the top. Each of the management personnel is crucial for documenting information regarding the finance application system’s security and assessing the potential risks, their impact in both qualitative and quantitative ways. Being the financial processing tool, the Banner application consists of considerable amount of sensitive and valuable information in its database link. The information types can be divided under the headings of Finance, Accounting, Human Resource, and Payroll. The Accounting header consists of the fees processing and storage audit mechanism along with the additional financial operations and expenses. The university has some specific policies and procedures at work for the security of Banner Finance including the change management security control.
On telecommunication and networking fronts, the university offers a large number of networking facilities to the stakeholders within the authorization of the university’s community. Though the IT department allows and encourages BYOD for flexible networking within the university’s permitted premises, the provision brings some major risk concerns to the system’s physical and virtual existence. However, the most sensitive database contains the details of the organization’s income and expenditure processing, which relates to the accounts section. The payroll, external expenses and other budgetary details come under the moderate and minimum risk potentials. These sections of information can be breached in myriad ways for with different purposes. For instance, hackers might attack the accounts of the system to claim ransom using ransomware injections (Dionne, 2018). The users of the systems may transfer threats of virus and bots to the system through the connection of their unprotected personal devices. Finally, the risks may also involve the physical threats of natural calamity, attacks and system failures etc. Like other entities, loss of data in any possible ways under the Confidentiality, Integrity, and Availability (CIA) structure of security might cause serious loss of finance and market trust for the university (Lon?arski, 2018).
Risk Identification
The information provided by the managers of the IT department refers to multiple areas of vulnerability in the system’s physical existence as well as in its virtual existence as discussed below.
Authentication in Physical Access: As per the information provided by the ITED and OS, the university’s information system can be accessed only through biometric security. Though the management keeps a visitors’ log record and CCTV surveillance facility along with the presence of security guard, these controls are not enough to prevent the system components from threats or attacks in both the physical and the virtual mechanisms. Multi-Factor Authentication (MFA) is considered crucial in the present-day security controls for both the physical and digital security of assets (Lon?arski, 2018). The MFA may include biometric and device authentication at the same time. Biometric security is often weak as there are some specific environmental conditions when the biometrics does not work properly. The face-recognition biometric, for instance may fail to recognize the authentic user of systems and assets due to a change in environmental light or in the face of the subject. Biometric never ensures a 100% similarity for access permission. Hence, the single factor authentication may often fail.
Password Security: The system’s password security configuration, according the SA and BSA is not up to expectation for adherence to any industry specific security best practice. Ensuring password protection requires implementation of strong password acceptance system in the devices through centralized control, and making encrypted storage of security information. Encryption helps not only in ensuring security of the system but also in the control and management of access log as anyone in the cryptography ecosystem may view the changes made in the access mechanism through blockchain’s shared ledger (Dionne, 2018). However, the password settings must be differentiated for different degrees of access including the Mandatory Access Control (MAC), Discretionary Access Control (DAC), and Role-based or Rule-based Access Control (RBAC) systems (Lon?arski, 2018).
Security Audit: The IT department works on the review of the access control system to the Banner database at times, but not in any consistent periodic routine. Periodic review of the access database is critical to the security of the system as it helps in eliminating the details of the terminated access and makes the security controls more effective for the users. Regular audit in the access database also helps in detecting the attempts of unauthorized access or access from terminated account (Mazitelli, 2018). The management or security personnel can take necessary steps when such attempts are detected. Audit also ensures Information Governance by secure management of records, data cleansing, and de-duplication. Absence of regular audit may lead to increased external threats and chances of insider trading.
Lack of Quality Checking: The systems in the Banner Finance are only managed for occasional updates. Lack of regular updates in the system may lead to the failure of the system’s security and invite bugs and vulnerabilities (Mazitelli, 2018). The programmes for change management are also inadequately checked and assured for quality about their security. The documentation for reviewing the access is also inadequate in the present practice. Absence of Backup: The system data of the Banner Finance system is not stored in ay cloud backup for emergency response and business continuity. The system only consists of the local back up of the data. Local backup may easily fail in case of emergency when the system is attacked by external forces like Trojan, malware, botnet, Distributed Denial of Service (DDoS) attacks etc.(Mazitelli, 2018).An off-site or cloud backup may help in addressing issues related to this problem. Though the system follows a daily back-up within the OS, it may not suffice without a periodic automated cloud backup system.
IT Area |
Vulnerability |
Threat-Source |
Physical System |
Compromised Security |
Unauthorized Access |
Access through Password |
Breach |
Poor password security |
Access Audit |
Failed identification of unauthorized access, poor information governance and record management |
Breach of access to the security database |
Change Management |
Compromised security in new programmes |
Lack of quality checking and seldom audit |
Data backup |
Absence of off-site regular backup |
Threats to data breach or disasters leading to the interruption of business process |
Control Analysis
The university has deployed a number of security controls in their existing capacity as discussed below.
Physical Access: The University has restricted physical access to their system by ensuring biometric security or access control, deployment of security guards, video surveillance and visitors’ logs. All of these security control measures help the university to ensure their basic safety from access to unauthorized people. A universally accepted measure for physical security control is the Crime Prevention Through Environment Design (CPTED) (Bada, 2017). This framework involves all of the measures implemented by the university.
Password Security: The company has implemented password-enabled configuration to their system. Though the management feels it to be inadequate, but the existence of password protection has certain impact on the security of the financial system.
Security Audit: The University’s IT department performs security audit for the Banner financial database. In this method, they eliminate the expired and unnecessary accounts of users (Bada, 2017). This elimination helps in better information governance as the process pertains to data cleansing and de-duplication for security enhancement and effective management of database record.
Updates: The system of Banner Finance supports updates for bug fixed versions and exclusive facilities offered by the developers of the application software. The updates help in keeping the threats of malware attacks away.
OS Back-Up: The University maintains everyday back up of their information in the operating system. This is a local back-up process, easily accessible from within the organization’s information ecosystem (Aloini, Dulmin, &Mininno, 2018). In case of emergency and threats, this backup is the earliest accessible one. Local backup is also beneficial for incidents that take place due to insider error within the entity.
Risks |
Likelihood |
Physical System |
Low |
Access through Password |
High |
Lack of Access Audit |
Moderate |
Change Management |
Moderate |
Data backup |
High |
The physical system is less likely to be attacked due to the present controls of biometric, security surveillance cameras, security personnel, and log register. However, the database access is highly vulnerable as the password configuration does not follow any industry standard for security. The access audit may bring moderate risk as the audit method does not follow any industry standard either. The change management lacks in quality assurance before implementing programmes. Hence, the security risks remain moderate in connection the nature and scope of change (Aloini, Dulmin, &Mininno, 2018). The most serious threat after the password in this system, is the lack of offsite backup. Offsite or cloud back up helps companies in case of emergencies immensely. Business continuity often depends on the cloud data backup as it delivers fast and well-organized backup of data whenever faced with a threat. Thus, the availability and integrity of the information in the cloud database remain intact. However, following a breach, the confidentiality of any database faces several questions. Hence, the focus of the security preparation needs to rely on prevention of threats rather than on curing from them. The aim behind the assessment of risk degrees is to ensure risk tolerance and minimize the Recovery Time Objective (RTO) and recovery Point Objective (RPO) of the organization while dealing with a threat (Lin, 2018). RTO refers to the time during which the data remains unavailable in the process of data breach or disaster recovery. The RPO refers to the point of data loss acceptable for an organization to continue business immediately after the detection and identification of a threat in their database ecosystem.
Risk Impact Analysis
Risk |
Impact |
Physical System |
High |
Access through Password |
Moderate |
Lack of Access Audit |
Moderate |
Change Management |
Moderate |
Data backup |
High |
Threats to physical systems have a higher impact on the information system security as they might paralyse the information ecosystem by damaging the physical devices to the degree of irreparable loss. Threat to password security has been considered moderate because the impact depends on the database or the unit of the information system that has been breached. The access audit also brings a moderate security threat as the difference among the various access mechanisms determine the security levels of the whole system (Lin, 2018). Change management may bring moderate to high risk as the University’s security system lacks in audit and quality assurance. Data backup is also a matter of grave concern when impact is considered as loss of data may result in halt of the organizational operations. The university is in high risk because there is no offsite or cloud backup system for their information to ensure business continuity.
Risk Level determination
Risk |
Level |
Physical System |
High |
Access through Password |
Moderate |
Lack of Access Audit |
Low |
Change Management |
Moderate |
Data backup |
High |
The information system of the University, especially the Banner Finance system is highly vulnerable considering the multiple flaws present in the risk management and monitoring process in practice there. Threats to physical security may lead to high level of risks leading to prolonged RTO and RPO as well as compromised business continuity (Lin, 2018). The threat to physical system without necessary plan for sharing the risk impact through insurance, may also lead to huge unexpected expenses for revival of operations. The Password security breach also comes with the potential of moderate to high risk as once the hackers or unauthorized elements get access to password, all sensitive and valuable data security may be compromised. Impact of access audit has been considered low because of the internal audit consideration made here. The access control in this regard, is confined within the organization’s internal users. However, for external access, the lack of control may bring higher chances of risks. Failure to manage change and assure security in the newly implemented procedures may lead to moderate level of threats in the system (Abkowitz, & Camp, 2017). It is important to mention, that all of these threat parameters may increase or decrease based on the Risk Tolerance level of the system. Finally, the impact of poor data back is high on information security threat as absence of offsite backup may lead to complete loss of data when the onsite system is attacked by hackers or other threat agents.
Control Recommendation
The NIST Risk Management Framework, also known as the Federal Information Security Management Act (FISMA) offers some common and effective control mechanisms for security in organizations like the University in concern here. The controls are as the following.
Preparation: The preparation phases involve the establishment of the exact context for the ease of understanding the appropriate security measures. The organization needs to prioritize their information for implementing specific security measures (Abkowitz, & Camp, 2017). Here, the financial application that contains accounts data, human resource data, payroll data and other additional financial information, needs to be prioritized based on the importance and sensitivity.
Categorization: Categorizing the information and the processing models helps in ensuring security further.
Baseline Security Control: This is the primary security controls like network security through firewall, anti-malware system, and intrusion prevention and detection mechanisms for automated security updates and alerts etc. The baseline security control also involves information governance by regular audit and elimination of unnecessary information through data cleansing and de-duplication (Abkowitz, & Camp, 2017). Users’ education, access control and authorization are major parts of information system security baseline control.
Implementation: Implementation of security is subject to tests and updates. Once the baseline controls are implemented, the responsible authority must check their performance in desired parameters. Assessment: The assessment process may include quantitative and qualitative assessment of risk tolerance and security measures through various parameters (Sax, & Andersen, 2018). Balanced Scorecard is a universally accepted parameter for assessing performance related to the information system.
Authorization: Authorization to Operate (AtO) must be considered after adequate testing and checking of the system. Under NIST, the ATO is granted for three years and needed to be renewed after the given period (Sax, & Andersen, 2018). Monitoring: The system must be monitored frequently and periodically to ensure the operations of the implemented security measures to the desired goals (Sax, & Andersen, 2018). The monitoring process should also involve flexible and scalable change management owing to the changing nature of the financial data for the University’s accounts and finance management application.
Conclusion
The risk assessment and recommendation reveal that there are five key risks related to the University’s financial application system. These risks are the physical risk, password security risk, access control risk, risk to change management and risk to data backup. Any organization of medium sized database may endure these common risks in the digital environment. However, the NIST FISMA framework for risk management and security may help the University in gaining more confidence over their financial data security. Certification will also help them remaining resistant to legal and procedural threats. The degree of risks and impact have appeared different based on the immediate information system environment. Access, database and password security threats have remained crucial about their impact on the system’s security throughout the assessment process. However, the physical security is also a key concern for the University’s database. Besides the physical security, the IT department can establish both the digital and physical system of authentication with MFA.
References
Sax, J., & Andersen, T. (2018). Making Risk Management Strategic: Integrating Enterprise Risk Management with Strategic Planning. European Management Review, 16(3), 719-740. doi: 10.1111/emre.12185
Abkowitz, M., & Camp, J. (2017). Structuring an Enterprise Risk Assessment Protocol: Traditional Practice and New Methods. Risk Management And Insurance Review, 20(1), 79-97. doi: 10.1111/rmir.12068
Lin, L. (2018). Integrating a national risk assessment into a disaster risk management system: Process and practice. International Journal Of Disaster Risk Reduction, 27, 625-631. doi: 10.1016/j.ijdrr.2017.08.004
Aloini, D., Dulmin, R., &Mininno, V. (2018). Risk Management in Enterprise Resource Planning Systems Introduction. Retrieved from https://www.researchgate.net/publication/265361165_Risk_Management_in_Enterprise_
Resource_Planning_Systems_Introduction
Bada, M. (2017). Computer Security Incident Response Teams(CSIRTs) An Overview. Global Cyber Security. Retrieved from http://www.elizabethphillips.co.uk/Research/CSIRTs.pdf
Dey, P., Clegg, B., &Cheffi, W. (2018). Risk management in enterprise resource planning implementation: a new risk assessment framework. Production Planning & Control, 24(1), 1-14. doi: 10.1080/09537287.2011.597038
Acharyya, M., & Brady, C. (2017). Designing an Enterprise Risk Management Curriculum for Business Studies: Insights From a Pilot Program. Risk Management And Insurance Review, 17(1), 113-136. doi: 10.1111/rmir.12019
Dionne, G. (2018). Risk Management: History, Definition, and Critique. Risk assessment reportRisk Management And Insurance Review, 16(2), 147-166. doi: 10.1111/rmir.12016
Lon?arski, I. (2018). Risk Management (2016). Risk Management, 18(1), 1-3. doi: 10.1057/rm.2016.2
Mahnken, S. (2017). Today's authentication options: the need for adaptive multifactor authentication. Biometric Technology Today, 2014(7), 8-10. doi: 10.1016/s0969-4765(14)70126-2
Ruefle, R., Dorofee, A., Mundie, D., Householder, A., Murray, M., & Perl, S. (2019). Computer Security Incident Response Team Development and Evolution. IEEE Security & Privacy, 12(5), 16-26. doi: 10.1109/msp.2014.89
Van der Kleij, R., Kleinhuis, G., & Young, H. (2017). Computer Security Incident Response Team Effectiveness: A Needs Assessment. Frontiers In Psychology, 8. doi: 10.3389/fpsyg.2017.02179
Telenyk, S., Bukasov, M., &Yasochka, M. (2016). Resource management for server virtualization under the limitations of recovery time objective. Open Physics, 14(1). doi: 10.1515/phys-2016-0059
Mazitelli, N. (2018). Incident Response and Handling. Engineering & Technology Reference. doi: 10.1049/etr.2014.0034
Liu, P., Xu, B., Hu, F., Yu, H., & Li, J. (2019). A New Complex Incident Response Plan Decision-Making Model. Applied Mechanics And Materials, 241-244, 1133-1138. doi: 10.4028/www.scientific.net/amm.241-244.1133