Creative IT Solutions (Pvt) Ltd. (CITS)
1. Executive Summary.
This is a report which presents the findings of an information security risk assessment of the Creative IT Solution (pvt) Ltd (CITS).This section summarizes a long process of IT security audit of CIT. This risk assessment process is based on the BS ISO/IEC 27005:2008 risk management standers. For further information about the reference model please refer to  in reference.
Findings and Recommendations.
It has identified number of key issues by focusing on the company’s critical assets of information. These are the main driven points of the CITS. A lot of risks were identified during the risk identification process. These assets can be people, software, hardware or third-party services. Further information about assets, refer to the figure 2.0.2 Following are the main issues and recommendations for identified assets derived by the BS ISO/IEC 27005:2008 Framework.
Company Database System
One of the most sensitive assets of the CITS and it can be opened for attacks in several ways. Major threats that identified are Excessive privilege, Sql injection attacks, Malware, Exploitation of vulnerable databases. Gerhart an expert of threat analysis once said “databases may contain sensitive information, and new databases can emerge without visibility to the security team. Sensitive data in these databases will be exposed to threats if the required controls and permissions are not implemented.” . Alternative backup database, severe access control rights to accessing db, managing authentication levels, block malicious web requests and specially automating auditing with a database auditing and protected platform are presented as solutions.
System access control policies.
It has identified several weak points of the existing security polices in CITS. Access polices for all critical information assets need to be analyzed and reviewed. So it is planning to implement an access control system which have three abstractions that are access control polices, models and mechanisms. For more details about the three abstraction refer the  reference.
As CITS is expanding its services rapidly day by day it is relying more on out sources and venders to support and maintain systems. Normally these third-parties mostly use remote access tools to connect to the CITS’s company network, but they don’t follow best security practices. Therefore it is recommended to validate that any third-party follows remote access security best practices. For an instance enforcing multifactor authentication.
These key issues and recommendations are detail discussed and explain in the technical report. For mitigating security black-holes of the CITS’s these security mechanisms are highly recommended. Through following those guide lines relating BS ISO/IEC 27005:2008 imply a continual process consisting of a structured sequence of activities, some of which are iterative.
Figure 1.0 This shows how it’s easy to find critical assets and information.
For more analysis refer the  Annex E Table E.1 b)
2. Technical report.
Introduction & methodology.
Creative IT solution (Pvt) Ltd is an organization which develop web applications, software systems, provide theoretical solutions for it security risks and newly started department for online support center that awaring subjects who face several information technology issues. And also guide them for proper use of IT. In order to achieve that workshops are conducted too. CITS’s head office is situated in NO.5 Malkaduwawa Road, Kurunegala, and it has two floor of an entire building furthermore the management has decided to open a new branch in Colombo. Figure 2.0.1 is the sample organization diagram for the CITS.
ISO/IEC 27005:2008 by International Organization for Standardization (IOS) and the International Electrotechnical Commission (IEC) standard is used in this information security risk evaluation as it is very well suitable for CITS rather than other frameworks and it is highly recommended in worldwide . According to the ISO/IEC 27005:2008 “A systematic approach to information security risk management is necessary to identify organizational needs regarding information security requirements and to create an effective information security management system (ISMS)”.
Another reason to use this framework is that this framework consists information security risk management as,
- Context Establishment
- Risk Assessment
- Risk Treatment
- Risk Acceptance
- Risk Communication &
- Risk Monitoring.
So it is easy and effective use a framework such as ISO/IEC 27005:2008.
Figure 2.0.1 The organization diagram of CITS.
This report consists of five critical assets that can be driven CITS for unstable situation which are identified through analyzing the organization structure and discussing with the senior management. Even if some steps are taken to avoid some situations those are not enough with prevailing industry. When examining those assets, the priority is given as follow.
ISO/IEC 27005:2008 has predefine worksheets for easing these kind of tasks, worksheet on Appendix A, Appendix B are helpful resources for accomplishing the task. Furthermore refer  (Annex D, D.1, and Annex E Table E.1a/Table E.2)
Figure 2.0.2 Identifying assets and risk analysis.
ISO/IEC 27005:2008 worksheets are helpful documentation tools. Refer to Appendix A/B
2.1 Database server.
Risk Identification ⇒⇒ CITS’s database server is a local database which is sited on company local area network. As usual it has proprietary APIs for accessing data. The company is using PARADOX DBMS and it only provides security at the table or field level. The identified risks are unwanted or unintended activity or misuse by authorized users, malware infections, physical damage to the database such as database server room fires or floods, overheating, lightning etc… 
Risk Estimate ⇒⇒ Inappropriate success to sensitive data, leakage or disclosure of personal or proprietary data, these kind of risks can directly affect to the company confidentiality. The impact rate is “high”.
Risk Evaluation ⇒⇒ Most effective solution is to implement new database system (BDMS) with highest access control policies such as JASMINE ii / VERSANT / Object Store. And also educate the database users about implementing security controls, enforce polices or conduct incident response process are much better. When considering the natural disaster affects, it is good to implement the database server with in a natural disaster proof environment, for an instance fire resistant database server room, use mechanisms for avoiding lightning etc.… (Figure 2.0.1 raw 1 for key points). 
2.2 Web/mail/file server.
Risk Identification ⇒⇒ This is more vulnerable for attacks because web servers and applications open systems and information to be access by partners, suppliers and customers. From surrendering customer privacy data transactions may cause indirect damage of company reputation. In CITS organization where security is not backed in to both the business planning and application development process. There can be lack of awareness of security best practices. This is a dangerous situation for the organization.
Risk Estimate ⇒⇒ The trustworthiness of the company can be directly affected through this. Customers can be disappointed about the company and their services. Therefore it can affect company profit and reputation very badly. When considering the web/mail/file server availability, for CITS it is essential as it directly interact with the customers (suppliers). So the impact on the availability is “high” according to the studies.
Risk Evaluation ⇒⇒ There are very simple ways which the management does not care about, for avoiding web/mail/file server risks. Basically the CITS does not change the default configurations of the main routers and DNS servers, so it is highly advised for changing those configurations. And also can be.
Figure 2.2.1 Summary of web/mail/file server risks. 
2.3 Access control and security policies.
Risk Identification ⇒⇒ This can identified in two parts. Internal and External. Internal threats are from individual threats are from individuals that have legitimate access such as employee, so the insiders can be extremely difficult to detect. If the network is compromised outsider intruders can attack or misuse the system this is external. Main risks from these threats are unauthorized disclosure, disruption of computer devices can be mentioned.
Risk Estimate ⇒⇒ Loss of productivity through misuse of IT resources such as network bandwidth. Financial loss, this can be directly theft of money or indirectly from the recovery of security incidents. Another configured thing is Blackmailing, an intruder can threaten for exploiting the security breach. The integrity is at “high” level risk.
Risk Evaluation ⇒⇒ Password are an important line of defense against unauthorized access to an IT system, and also the policies. “The security policy is a statement of intent with regard to control over access to, dissemination of, and modification of information. The security policy must be precisely defined and implemented for each system that is used to process sensitive information. The security policy must accurately reflect the laws, regulations, and general policies from which it is derived.” ACLs can be used for denial or permission access o objects. BYOD also helpful suggestion. 
2.4 VPN access.
Risk Identification ⇒⇒ In the research mainly identified risk through ISO/IEC 27005:2008 worksheets are (Appendix A/B) lack of required host security software on public machines, physical access has been given to shared machines of the employees by the management, and this is also not a security best practice.
Risk Estimate ⇒⇒As this is the main connection line between the organization and the client if the VPN getting attacked is directly affect to the availability of the company network. Therefore availability is at “high” risk level than other two which are confidentiality and integrity.
Risk Evaluation ⇒⇒ Use IPsec remote access APN technology which require installation of IPsec client software on a client machine. And also it is recommended to have security policies and security access through strong user authentication. Another driven key point of CITS is educate the user about the access controls and security policy awareness.
Figure 2.0.3 in below is given an abstraction of the identified risks, likelihood of those threats, impact whether it is highly affected on confidentiality, integrity or availability, and estimated risk level of the identified assets.
Figure 2.0.3After applying above evaluations for the assets.
* Overall impact of the CIA is mentioned here
** For more analysis refer the  Annex E Table E.1 b)
3. Summary and Recommendations
According to the report as suggested in the technical report, it has recommended several actions to be taken for the protection of the Creative IT solution (Pvt) Ltd. Alternative database backup and maintain it well secure manner and take steps to protect the database physically is too important according to the studies.
Expand the organization policies according to the developing technology also needed. It is advised for using policy standards such as ISO/RFC 3785 and use policy best practices. Considering the access controls those should be strengthen. Furthermore as CITS is growing day by day a lot of employee and customers interact with the company. Therefore it is recommended a full review for the access policies fall monitoring system and create a new secure policies for safe guarding. These polices should be constantly reviewed and update.
Until the research is being done, the management does not take a third-party render for risk transferring process. Therefore it is highly recommended for hiring a trusted third-party vender with guaranteed contract.
Finally, this report is contain more details and in the technical report (section 2) technically solutions are given and the CITS is highly motivated for applying those things for the organization. For more details, Appendix A and Appendix B can be referred.
 Information Technology-Security Techniques-Information Security risk management; First edition; 2008-06-15; available from; http://www.pqm-online.com/assets/files/lib/std/iso_iec_27005-2008.pdf; cited date 08-02-2016.
 By Roy Maurer; Top Database Security Threats and How to Mitigate them; published on 7-30-2015; available from; https://www.shrm.org/hrdisciplines/safetysecurity/articles/pages/top-database-security-threats.aspx#sthash.BuwaTMzK.dpuf; cited on 9-03-2016.
 Vincent C.Hu, David F.Ferraiolo, D.Kick Kuhu; NIST [Assessment of access control systems] September 2006; available from; http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf; cited on 18-03-2016.
 Michael E. Whitman, Herbart J.Mattord; Principles of Information Security; fourth edition; Course Technology Cengage Learning; 2012; available from; http://ntuc.org.np/wp-content/uploads/2016/02/Principles-of-Information-Security-4th-ed.-M.-Whitman-et..pdf;cited on 14-03-2016.
 Roy Maurer; Top Database Security Threats and How to Mitigate Them; 7-30-2015; available from; https://www.shrm.org/hrdisciplines/safetysecurity/articles/pages/top-database-security-threats.aspx; cited on 20-03-2016.
 Risk Assessment IWMW 2006; UKOLN; available on; http://www.ukoln.ac.uk/web-focus/
events/workshops/webmaster-2006/risk-assessment; available on; 14-02-2016.
- Appendix A
- Appendix B