Information Security Management

Learning task 9
Students list: Phan Hoang Giang - 1001704 Vu Viet Hung - 1028171 Bui Than Minh Hoai - 1002786

Contents
Question 1 ..................................................................................................................................................... 3 Question 2 ..................................................................................................................................................... 3 Question 3: the need for Business Continuity Planning ............................................................................... 4 3 evens that can highlight the need of Business Continuity Planning ...................................................... 4 RIM BlackBerry Service Outage............................................................................................................. 4 Virus hits part of U.S Commerce Dept. ................................................................................................. 5 Cable service interrupted in Molokai.................................................................................................... 5 How do these events related to ASDA.com case study? .......................................................................... 6 Reflective report ........................................................................................................................................... 6 References .................................................................................................................................................... 7

Question 1
The researchers have organized a small-sized workshop in other to improve information awareness and behavior of staffs. They conducted one survey before the workshop and two surveys after the workshop to evaluate staffs awareness and behavior. There are two approaches that they used and gain surveys result base on that kind of approaches: Method Quantitative Evaluation - Use an experimental design to measure individual awareness and behavior before and after the intervention. - 197 employees were chosen randomly into an intervention group participating in the workshops and a control group not participating in the workshops. - Totally, the employees have performed 3 surveys: 1 survey at a month before the intervention, 1 at a month after intervention and 1 at 6 months after the intervention. - First survey to test before the intervention - Second survey to evaluate the stability of the awareness and behavior produced by the intervention - Third survey also sent to the control group but couldnt divide the control group between those who had been in and hadnt been in the workshops. - Supported by qualitative evaluation techniques - Provide a breadth and depth to the evaluation that cannot achieved by quantitative approaches. - The purpose is o get indications of why the workshops functioned as they did and how it influenced awareness and behavior - Collect data using : Group-based discussions, observation study, free-text data

Qualitative

Question 2
Selling information security to end-users can have a positive effect but it also lead to unwanted results such as: The habit of people is very hard to change. Especially, old habit does not affect much to their current situation. For e.g. if we follow information security, our password must longer than 8 and contain text and number, each of account will have difference password. It will make password become hard to remember, they will have to write it down or use some program to manage it. It make password become easier to steal. Change in job content is also a negative outcome. When information security makes their work become complex and harder, they cant be complete easier like before. It makes information security become hard to accept. People will think why we have to use this when the old one still work well. Culture also a reason make negative outcome. For e.g. in Asia country people are very friendly, they will easier trust a stranger and willing help people. If some stranger ask them:they forget

their id card, they will say that you can get in with me and my id card. If that stranger do something wrong , people that let him in will have to responsibility for every loss that happen to company Technology requires a big power supply. We can image one day our power supply have been cut for 6 hours without announcement. All security door become a prison and a trap, u cant open those door by your bare hand. Everyone stuck inside without oxygen. Another point is our entire document is on computer but we cant turn computer on because our power cut off. We cant do anything until power come back

Question 3: the need for Business Continuity Planning

Business continuity planning (BCP) ensures that critical business function of an organization can continue if a disaster happens. Unlike the Disaster recovery plan which is managed by IT department the business continuity plan is managed by the CEO of the organization. The Business continuity plan is executed at once time with the Disaster Recovery Plan when the scale of disaster exceeds the DRPs ability to quickly restore operations. Below listed 3 nearby events that explain the need for Business Continuity Planning:

3 evens that can highlight the need of Business Continuity Planning RIM BlackBerry Service Outage
RIM BlackBerry Service went down for nearly four days in October 2011. The service outage is caused by a hardware failure in Europe. A dual-redundancy high capacity switch failed in Europe; that should have been handled by a backup system, but that system also collapsed. This lead to overloading elsewhere .When the system was restarted the processing backlog took longer than RIM had expected. That brought down the service in Middle East, Africa, India, China, Argentina, US and Canada. The service outage may cost RIM more than $100 million because RIM is obligated to maintain a certain ratio of uptimes for its servers and the nearly four days outage could have breached the agreement and require RIM to pay out punitive fees. RIM decided to offer to apps to customers for compensations. This make customer disappointed because they waited for a refund. What can be learnt from this event?

RIM should reassess and review their Business Continuity Planning because their actual BCP doesnt satisfy business need. One of the important parts of BCP is maintenance and testing of technical solutions. RIM definitely didnt be awareness of the situation and never plan for a backup hardware failure. The backup system didnt be well maintained and didnt be tested for this situation. RIM should update their BCP manual to roll out to all staffs for awareness and specific training of this solution.

How this event can be incorporated into RIM policies?

After this event, RIM should update their Disaster recovery policy ,business continuity policy and information security policy to make all RIMs staffs awakened of the important of maintenance and testing of technical solutions , the important of backup system for RIMs business. In these policies, they can assign more resources for backup system and redefine roles and responsibilities of players in business continuity operation. That could help RIM avoid the defensive situation like in this event.

Virus hits part of U.S Commerce Dept.

The US department of Commerces Economic Development Administration (EDA) suffered an attack in January 2012. It resulted in Internet access and email being blocked. Security was the cause of the shutdown. The virus was initially discovered on January 20. To avoid data leak or severe consequences and to investigate the attack EDA decided to disconnect the systems in 24 January. In the meantime, the EDA had put up a simple website to provide access to key information and serve customers. Staffs will be working using phones and fax lines. What can be learnt from this event?

EDA has a good business continuity planning. After the decision to disconnecting the systems, they can establish backup system and continue to provide core services to customers such as funding opportunities and contact information. The core missions of EDA are granted and it is the goal of business continuity planning. How this event can be incorporated into EDA policies?

EDA has good Business Continuity Planning. Cyber-attack is a dangerous and widespread concern. When facing this event EDA has quickly decided to disconnect the systems but continue to provide core service via backup system. They must highlight the important of business continuity in their policies and the staffs are awareness of it.

Cable service interrupted in Molokai

Cable service is interrupted for a week for about 140 customers of Oceanic Time Warner Cable on the West End of Molokai, an island in Hawaii, in December2011. Rat chewed through two different sections of underground cable on the West End making the service unavailable. Lack of support staffs made the delay in making the necessary repairs. What can be learnt from this event?

Oceanic Time Warner Cable doesnt have any Business Continuity plan for service in Molokai. Staffs receive information about disaster/disruption of service and then trying to fix the issue. They explain the lack of support staffs by the small number of subscribers of Molokai. How this event can be incorporated into Oceanic Time Warner Cable policies?

After this event, staffs of Oceanic Time Warner Cable must be aware of the important of business continuity planning. The number of subscribers in Molokai is small but they are customers of the company. Oceanic Time Warner cable must guarantee the continuity of their service.

How do these events related to ASDA.com case study?

The main business of ASDA.com is online trading. The continuity of the ASDA.com service is critical for ASDA business. The first reason is ASDA lost revenues when the systems are corrupted. They also lost loyalty of customer and that can lead to a loss of market share. ASDA.com may learn experience from 3 events listed above. They should update their Information Security Policy, Disaster Recovery Policy and Business Continuity Policy to avoid issue like that happened in these 3 events. Reading these events should help staffs of ASDA.com improve Business Continuity awareness and behavior.

Reflective report
There were some high pressures when doing this learning task because our R&D project is running now. However, we are lucky because our ISM team is also R&D team. We can conduct meeting regularly to discuss about both ISM and R&D. With the first question, it took us 2 days to review and give our solution. It talks about a change of awareness and behavior of employees about information security in an organization. The case study is long and many statistical data therefore, make a summary in short page is quite difficult for us. In question 2, we have to figure out some negative affect when "selling" information security. It was little bit hard when we can't find any suggestion or guide for this part. All of example is our think about some negative affect which can be happen. With the question 3, we must find out 3 events that can explain the need of Business Continuity Planning. Then we need to define what is related with ASDA.com case. The hardest part of this question for us is to find out 3 events. There are many information security events in last months but most of them are related with security breaches. The question 3 helps us to understand the important of business continuity planning to the organizational.

References
Elizabeth Chew, M. S., Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson (2008). Performance Measurement Guide for Information Security (NIST publication) Michael E. Whitman, H. J. M. (2010). Management of Information Security 3rd: CENGAGE Learning. Rue Liu (October 12th 2011) RIM insists BlackBerry outage not due to hacking, users wont lose messages. Retrieved from http://www.slashgear.com/rim-insists-blackberry-outage-not-due-to-hackingusers-wont-lose-messages-12187736/ on February 7 2012 Chris Davies (October 13th 2011) RIM : Blackberry fully restored but no compensation news. Retrieved from http://www.slashgear.com/rim-blackberry-fully-restored-but-no-compensation-news-13187845/ on February 7 2012 Rue Liu (October 14th 2011) BlackBerry outage may cost RIM over $100 million Retrieved from http://www.slashgear.com/blackberry-outage-may-cost-rim-over-100-million-14188216/ on February 7 2012

Chris Davies (October 17th 2011) Blackberry outage victims offered apps not cash. Retrieved from http://www.slashgear.com/blackberry-outage-victims-offers-apps-not-cash-17188354/ on February 7 2012 Elizabeth Montalbano (February 3rd 2012) Virus hits part of U.S. Commerce Dept.Retrived from http://www.informationweek.com/news/government/security/232600258 on February 5 2012 Mark Raby (February 4th 2012 ) US officials say cyber crimes will overtake terrorism as top threat. Retrieved from http://www.slashgear.com/us-officials-say-cyber-crimes-will-overtake-terrorism-as-topthreat-04212112/ on February 5 2012 Molokainews (December 28th 2011) Cable Service interrupted on West End by rats. Retrieved from http://themolokainews.com/2011/12/28/cable-service-interrupted-on-west-end-by-rats/ on February 7 2012