Case Study - Chapter 5 - IIUM

33
Chapter 5 - 53 Case Study MyRAM Handbook MAMPU Chapter 5: Case Study The Case Study used in this chapter is a sample on conducting risk assessment activities using MyRAM. It is up to the organisation’s decision-making authorities to finalise and decide on items such as unique threats to the particular organisation as well as safeguards to be implemented. Municipal Council of ABC (MCABC): The Municipal Council of ABC (MCABC) is a Local Authority providing municipality services, overseeing the development of local infrastructure and looking out for the social well-being of the community. MCABC’s vision is to become the best local authority amongst its peers by providing the best municipality services achievable to customers by 2006. MCABC’s objectives are to: 1. provide a comfortable living environment with up to par municipality services. 2. improve service quality and the administrative effectiveness. 3. increase business opportunities. 4. maintain continuous development. 5. develop an effective and efficient financial and assessment system.

Transcript of Case Study - Chapter 5 - IIUM

Chapter 5 - 53Case Study

MyRAM Handbook

MAM

PU

Chapter 5: Case Study

The Case Study used in this chapter is a sample on conducting risk assessment activities using MyRAM.It is up to the organisation’s decision-making authorities to finalise and decide on items such as uniquethreats to the particular organisation as well as safeguards to be implemented.

Municipal Council of ABC (MCABC):

The Municipal Council of ABC (MCABC) is a Local Authority providing municipality services, overseeingthe development of local infrastructure and looking out for the social well-being of the community.MCABC’s vision is to become the best local authority amongst its peers by providing the best municipalityservices achievable to customers by 2006. MCABC’s objectives are to:

1. provide a comfortable living environment with up to par municipality services.

2. improve service quality and the administrative effectiveness.

3. increase business opportunities.

4. maintain continuous development.

5. develop an effective and efficient financial and assessment system.

Chapter 5 - 54

Case Study

MyR

AM

Handbook

MAM

PU

Below is the overall organisational structure of MCABC.

Council Chief

Council Members

Legal

Council Secretary(CIO)

Internal Audit

EngineeringDepartment

(Director)

- Development- Maintenance- Engineering

Management ServicesDepartment

(Director)

- General Administration- Designation- Enforcement

City PlanningDepartment

(Director)

- Research &Implementation

- Control & Development

Building ControlDepartment

(Director)

- Building- Research

Information TechnologyDepartment

(Director)

- Planning & Operations- System Development

Park & RecreationDepartment

(Director)

- Planning & Design- Development &

Maintenance

Valuation & PropertyManagementDepartment

(Director)

- Valuation- Property Management

& Privatization

Finance Department(Director)

- Accounts- Budget- Expenditure- Revenue

City ServicesDepartment

(Director)

- City Services &Health

- Licensing

Manager(ICTSO)

Chapter 5 - 55Case Study

MyRAM Handbook

MAM

PU

The Council Management has been divided into two (2) divisions and nine (9) departments to supportthe municipal’s business activities:

Divisions

1. Legal Division

The Legal division’s function is to ensure that the legal system of the Council is enforced fairlyand justly at all times. The division is responsible in ensuring that the public is aware of the lawsand abide to it. Furthermore, this division is responsible in reviewing the contracts and agreementsof their contractors and suppliers.

2. Internal Audit Division

The Internal Audit division is tasked in performing a periodic audit to the services provided tothe public. The division needs to ensure that services and products produced through the monitoringof construction development are in accordance to the needs of the customers and is of consistentquality.

Departments

1. Management Services Department

This department has to manage and administer the Council efficiently and effectively in linewith Government Policies and the State and Federal levels. In order to accomplish the taskstrusted to the department, the standard of services and efficient amongst staff must be evaluatedperiodically, and an implementation of a management system must be completed. In ensuring thesmoothness of the operations of the Council, the computer information system must be coordinatedwell.

2. Finance Department

The Finance department has the responsibility in establishing a systematic finance and accountingmanagement system. It also must ensure that the financial system and accounts of the Councilare in accordance with the Local Government Act 1976 and other financial standards which aregenerally accepted. It is also tasked to collect revenue for the Council by taking the necessaryactions.

3. Property Management and Valuation Department

The first objective of this department is to value new properties and to check existing propertiesin order to achieve a higher year-to-year collection goal. The second objective is to manage therentals of stalls and buildings built by MCABC. The next objective is to establish tax rates forholding types.

4. City Services Department

The City Services department’s objective is to establish a healthy community and clean environment,increase and improve the socio-economic levels by providing additional business opportunitiesin line with existing laws and regulations.

5. Park & Recreation Department

The main objective of this department is to create the surrounding environment within the jurisdictionof MCABC to become a beautiful and pleasant place to live. The department is responsible inconducting the landscape maintenance works in MCABC, as well as to decorate and preparenecessary equipment for official functions at the state and district levels.

Chapter 5 - 56 Case Study

MyRAM Handbook

MAM

PU

6. Engineering Department

This department is tasked to continually maintain and establish recreation as well as tourismareas through development projects. It must also implement public facility projects in strategicareas. In monitoring existing and future developments, the department is required to observerelevant existing acts.

7. City Planning Department

The main goal of this department is to identify and plan areas of development within the MunicipalCouncil of ABC from the advisory and development co-ordination aspects. The department mustensure that development and land usage is well planned and controlled in accordance to theexisting plans.

8. Building Control Department

The Building Control department’s main responsibility is to control new and existing buildingsaccording to percentage, guidelines and acts to provide comfort and safety to public. The departmenthandles the approval process for development plans of commercial and residential projects. Italso monitors existing buildings which have aged.

9. Information Technology Department

The IT Department is responsible to support all the core business systems used by all the divisionsand departments in the Municipal Council. The IT Department has to ensure the availability ofthe systems as downtime can cause revenue loss, and reputation loss of the Municipal Council.The IT department also has to ensure the confidentiality and integrity of the data and informationto prevent the data from being exposed or compromised.

For the purpose of this case study, the Finance department is crucial to MCABC since it is the“heart” of billing activities, where collections are made and bills are sent out. It is a revenuegenerating department. In achieving its functions and objectives, the Billing unit within the Financedepartment is seen as one of the vital departments in collecting revenue for this agency. Therefore,it’s decided the unit is selected to undergo risk assessment exercise. In addition, without the ITinfrastructure and info structure, the Billing unit’s function which depends on the IMS applicationwould be hard to execute.

Chapter 5 - 57Case Study

MyRAM Handbook

MAM

PU

Billing Unit Structure:

Corporate Finance(Senior Manager)

FINANCE-Director

Billing Unit(Senior Manager)

Manager

Accountant

BillingAdministrator/

Executive Officer

Clerk Clerk

The Billing unit handles the following processes:

1. Budget and Account

This process involves preparation for yearly budget, yearly financial statements, management ofcash flow, monthly and yearly reports, management of investments, deposits and trust funds, aswell as management of accounts.

2. Request for Bill Reprinting

Bill reprinting is done at the customer’s own expenses and the changes will be made in thefollowing bill. Before a request is granted, customer’s identity will be validated against theIntegrated Management System (IMS) database.

3. Customer Billing

At each billing cycle, the system will prompt the clerks for bill generations. With the informationretrieverd from the IMS database, the system will compute the changes and update the paymentinformation. The customers will receive hard copies of their bills at the end of each billing cycle.The printed bills will be sent to an outsourced mail party to be sorted into envelopes and mailedto the customers. The sales summary will posted to the Finance Department and will be storedin the ERP system.

Chapter 5 - 58 Case Study

MyRAM Handbook

Below is the network diagram of the Billing unit of MCABC:

Note: This case study is designed to assist an RA team in performing the steps required to completean RA exercise.

MCABC has received a circular that requires the organisation to under take an RA exercise. Sincethe Billing unit is a vital business process that is a revenue generator therefore the Billing unit isrequired to under take the RA exerise first. The ICTSO, Mrs. Chong Mei Ling is now required toprepare a proposal to the Council Chief of MCABC detailing out the estimated budget and/or manpowerrequired, as well as the estimated time needed to complete the assignment. To do so. Mrs. Chong MeiLing needs to scope down the boundary of the RA activity.

After looking at the core functions of MCABC, it is decided that the Billing Process is one of thefunctions that are considered as vital for MCABC since this a revenue generating process. There aresix(6) personnel within the Billing unit. Looking at the size of the division and the complexity of the

Chapter 5 - 59Case Study

MyRAM Handbook

MAM

PU

process, it is decided that the RA exercise may take roughly 4 months to be finished if the internalstaff of MCABC on a part time-basis does the exercise. It would most likely be shorter if the exercisewere outsourced to a trusted third party. Since this is not yet a budgeted exercise for the year and itmay take a long time to apply for the budget approval, it is decided that the staff of MCABC willperform the exercise. It is estimated that four (4) personnel are needed to complete this exercise. Theyare the ICTSO herself, the Director of the Finance Department, the Manager of the Billing Unit, aswell as the Network Administrator from the IT Department.

Preparation:

The ICTSO, Mrs. Chong Mei Ling is now required to set up a preliminary RA team to perform theactivity itself. Resources, such as allocation of budget and manpower, are identified. A proposal isdrafted to obtain the senior management commitment and approval.

The proposal drafted below requires a formal form of approval from the management. This can bein the form of e-mail, memo, circular or written approval, depending on the agencies formal approvalmethod.

The ICTSO (with the advice from the CIO) could highlight respective strategic and tactical benefitsin performing a detail RA using MyRAM. They are amongst other benefits:

(a) Improves corporate decision-making by way of the Risk Assessment results, both for individualactivities and major projects, across the whole organisation.

(b) Ensures that threats to cost, time and performance are managed with the clear aim of meetingthe objectives of the organisation and its stakeholders.

(c) Provides senior management with a clear view of the risks and actions needed to resolve them(i.e. accept, reduce, transfer, or avoid).

(d) Improves management of project finance.

Chapter 5 - 60 Case Study

MyRAM Handbook

MAM

PU

ICT Security Risk Assessment Proposal for MCABC

1.0 Introduction

Risk estimation has never been an exact science. Judgment, in the context of governmentdecision-making can, and should be, supported by a formal analytical methodology. Inevery area of government’s work, effective risk handling depends on the ability to addressfive (5) broad areas of assets:

1. Hardware

2. Software

3. Services

4. Data/Information

5. People

2.0 Purpose

The purpose of this document is to obtain senior management’s commitment and approvalin conducting a detail RA exercise for the Billing Unit of MCABC.

The objectives of the RA are to:

1. Identify risks. Identify the specific risks that might put MCABC operations at stake.

2. Assess risks. Estimate the severity of risks occurring and impact they have to theoperations of the business processes.

3. Provide high-level recommendations on options for ICT security improvement programs.

3.0 Background of Risk Assessment

The background of risk assessment originated from concerns of business owners on therisks connected to their assets.

Increasingly, organisations and their information systems and networks are faced withsecurity threats from a wide range of sources. ICT security, once considered as an extravaganza,is a necessity now to ensure the survivability of the organization. Countering the threatsmay require one to enunciate a set of security requirements that will put the organisationin shelter. And the identification of these security requirements is only possible by amethodical assessment of security risks. This is crucial so that the expenditure on controlsis balanced against the business harm likely to result from security failures.

ICT Security Risk Assessment is a set of systematic considerations:

1. The business harm likely to result from a security failure, taking into account thepotential consequences of a loss of confidentiality, integrity or availability of theinformation and other assets.

2. The realistic likelihood of such a failure occuring in the light of prevailing threats andvulnerabilities, and the controls currently implemented.

The results of this assessment will help to guide and determine the appropriate managementaction and priorities for managing information security risks, and for implementingcontrols selected to protect against these risks.

Chapter 5 - 61Case Study

MyRAM Handbook

MAM

PU

3.1 Goal

Several goals are set for the risk assessment activity to be undertaken. The goals set willmanage the expectations of MCABC’s management and technical personnel:

1. To produce risk levels associated with each asset in the selected business process.

2. To provide high-level recommendations to be used by respective personnel in protectingthe identified assets.

3. To use the assessment report for the BS 7799 compliance program should MCABCdecide to go forward with the certification.

4. To produce a risk mitigation plan.

5. To strategize MCABC’s asset protection plan.

3.2 Benefits

The main benefits of the proposed risk assessment are:

1. Corporate decision-making is improved through the high visibility of risk exposure,both of individual activities, and major projects, across the whole of the organisation.

2. Ensures, that threats to costs, time and performances are managed with the clear aimof meeting with the objectives of the organisation and its stakeholders.

3. Provides management with clear visibility of the risk and actions needed to resolvethem (i.e. reduce, transfer, accept, or avoid).

4. Improves management of project finances in implementing safeguards.

3.3 Implications

Possible consequences from non-performance risk assessment activities are as the following:

1. Assets are not safeguarded from potential risks.

2. Business processes are insecure since it is a part of a business continuity plan-businessinterest priorities which are not considered maybe in jeopardy.

3. No update information of current risks level for assets will cause possible harm inreputation and replacement value of assets.

4.0 Recommended Scope

The sections below provide a high-level overview on the recommended scope, resourcesneeded, allocation of budget required to undertake the activity, as well as the estimatedtimeline.

4.1 Scope

The scope of the risk assessment (RA) exercise covers performing risk assessment activitiesin selected departments or business processes with high-level recommendations.

The RA activities are performed at different levels of depth. These activities are approachedfrom a top-down perspective-addressing the totality of MCABC infrastructure or businessoperations-and through specifically focused assignment addressing previously identifiedareas of concern or risk.

Chapter 5 - 62 Case Study

MyRAM Handbook

MAM

PU

4.2. Resources

The officers involved may include, but not limited to:

1. Director of Finance.

2. Manager of Billing.

3. ICTSO.

4. Network Administrator.

4.3 Budget

Costs incurred are: Since the exercise will be performed by existing staff members, thecost incurred is only related to training, which will result in approximately RM36,000 forfour (4) people for three (3) days.

4.4 Timeline

The proposed timeline is approximately four (4) months from the first briefing meetinguntil the sign-off of the exercise. The expected project closing date is 14th May 2005.

A comprehensive timeline with details tasks to be performed will be provided in Step 1:Establishment of Team.

5.0 Authorisation

Prepared By:

...........................................................................

Name : Mrs. Chong Mei LingDesignation : Manager of IT Dept. (ICTSO)Date:

Approved By:

...........................................................................

Name : Mr. Hassan MuhammadDesignation : Yang DiPertuaDate :

Once the proposal has been approved, an appointment letter either in the forms of emails, memo, orminutes of meeting must be sent to those who may be involved in the RA activity and to theirimmediate superiors.

Chapter 5 - 63Case Study

MyRAM Handbook

MAM

PU

Subject:<Acknowledgement of RA Exercise to be Conducted>

Municipal Council of ABC recognizes that there is a need to carry out a security risk assessmentprogram internally in view of the commensurate increase in the recent security threats facingthe organisation. Countering the threats may require one to enunciate a set of security requirementsthat will put the organization in shelter. And the identification of these security requirementsis only possible by a methodical assessment of security risks.

With that, I direct for the establishment of an assessment team. The team is responsible withproposing the review boundary, evaluate the business harm likely to result from a security failurefor each major business functions and estimate the realistic likelihood of such a failure.

The team is also to guide and determine the appropriate management action and priorities formanaging information security risks, and for implementing controls to protect against these risks.

With that the team is requested to submit a detail implementation plan, scope of coverage. rolesand responsibilities of each team members and other relevant information.

Thanks.

(Mr. Hassan Muhammad)Yang DiPertua MCABC

Chapter 5 - 64 Case Study

MyRAM Handbook

MAM

PU

Step 1: Estalishment of Team

Now that the exercise is approved, the team needs to sit down and decide whether they have anappropriate number of people to perform the exercise or not. Based on the estimated scope decided,it seems like the RA team has the appropriate number of members. The details of the members arein the table below:

For the roles and responsibilities of each team member, please refer to Chapter 8, Table 8.2 of theMyRAM Document.

The Member List of the RA Team:

Director of Finance Department-Project Advisor

Mr. Ahmad Mahadi

Manager of Billing Unit–Project Manger

Mr. Rajesh Kumar

ICTSO- Team LeaderMrs. Chong Mei Ling

Team MemberNetwork Administrator

Mr. Daniel Ariff

RA Team Organisation Chart

MyRAM/Form/S1-1.0

Team Members List

No. Name Job Function Sect/Unit/Dept/ Function inDiv/Vendor RA Team

1. Mr. Azizan Director of Finance Department Project AdvisorAbdullah Finance

2. Mr. Rajesh Manager Billing Unit ProjectKumar Manager

3. Mrs. Chong Manager (elected IT Department Team LeaderMei Ling ICTSO)

4. Mr. Daniel System Analyst IT Department Team MemberAriff (appointed also as

NetworkAdministrator)

Prepared by: Reviewed by: Approved by:

(Mr. Rajesh Kumar) (Mr. Azizan Abdullah) Mr. Muhammad Farhan)Project Manager Project Advisor Chief Information Officer

Note: The sign-offs should be with the official stamp.

The team members are assigned the following tasks (based on the specified RA steps in MyRAM).

Chapter 5 - 65

Case Study

MyR

AM

Handbook

MAM

PU

Tasking Schedule List: MyRAM/Form/S1-2.0

No.Activity

Date Task DetailsVenue SRA Team

1.0 Preparation (09 days: 21 Dec 2004-31 Dec 2004)

Output:1. Proposal

2. Letter on Acknowledgement of RA Exercise to be Conducted

1.1 21 Dec 2004 Preliminary RA Team • Identify a preliminary team members MCABC Mrs. Chong MeiLing

1.2 22 Dec 2004-24 Identify Required • Gather related documents or material on businessMCABC Mrs. Chong MeiDec 2004 Resources process or core function Ling & Mr. Rajesh

• Identify the recommended scope to propose to the Kumarsenior management

1.3 27 Dec 2004-20 Prepare Proposal • Gather information on related to allocation of MCABC Mrs. Choong MeiDec 2004 budget, resources and timeline. Ling & Mr. Rajesh

• Write a proposal to senior management to obtain Kumarcommitment.

1.4 31 Dec 2004 Acknowledgement • Present the proposal to the senior management MCABC Mrs. Chong MeiLing &Mr. Rajesh

Kumar

2.0 Step 1: Establishment of Team (01 day: 02 Jan 2005)

Output:1. Team Member List

2. Tasking Schedule List

2.1 02 jan 2005 Team Members • Identify team members MCABC Mrs. Chong MeiLing

2.2 02 Jan 2005 Schedule tasks • Construct tasking MCABC Mrs. Chong Meischeduling plan Ling & Mr. Rajesh

Chapter 5 - 66

Case Study

MyR

AM

Handbook

MAM

PU

MyRAM/Form/S1-2.0

No.Activity

Date Task DetailsVenue SRA Team

3.0 Step 2: Establishment of Review Boundary (15 days: 03 Jan 2005-21 Jan 2005)

Output:1. Review Boundary Statement

2. List of Materials Used3. List of Questionnaires with Findings

3.1 03 Jan 2005- Scoping • Refine identified scope or review boundary GatherMCABC Mrs. Chong Mei07 Jan 2005 more details information on business processes Ling, Mr. Daniel

• Write Review Boundary Document Ariff

3.2 10 Jan 2005 Endorsement • Endorsement on Review Boundary Document MCABC Mr. Azizan, Mr.Rajesh Kumar,

Mrs. Chong MeiLing

3.3 11 Jan 2005- Detail Information • Distribute Questionnaires MCABC Mrs. Choong Mei19 Jan 2005 • Interview Key Personnel Ling, Mr. Daniel

Kumar

3.4 20 Jan 2005- Revisit Step 1 • Amend team member list if necessary MCABC Mrs. Chong Mei21 Jan 2005 based on agreed scope Ling &Mr. Rajesh

Kumar

4.0 Step 3: Identification of Assets (17 days : 24 Jan 2005-15 Feb 2005)

Output:1. List of Assets

4.1 24 Jan 2005- Identifying Assets • Gather information on assets related to MCABC Mrs. Chong Mei02 Feb 2005 the agreed scope Ling, Mr. Daniel

• List assets in an inventory form Ariff

4.2 3 Feb 2005- Classifying Assets • Group assets based on its own MCABC Mrs. Chong Mei07 Feb 2005 Classification Ling, Mr. Daniel Ariff

4.3 08 Feb 2005- Identifying Owners & • Identified owners & custodians on assets MCABC Mrs. Chong Mei15 Feb 2005 Custodians related to the agreed scope. Ling, Mr. Daniel

Ariff

Chapter 5 - 67

Case Study

MyR

AM

Handbook

MAM

PU

MyRAM/Form/S1-2.0

No.Activity

Date Task DetailsVenue SRA Team

5.0 Step 4: Valuation of Assets and Establishment of Dependencies Between Assets (13 days: 16 Feb 2004-04 Mac 2004)

Output:1. Summary of Assets’ Values & Dependencies

5.1 16 Feb 2005- Identifying • Gather information on dependencies of assets MCABC Mrs. Chong Mei18 Feb 2005 Dependencies Ling, Mr. Daniel

Ariff

5.2 21 Feb 2005- Valuing Assets • Using matrices and rating tables in MyRAM, MCABC Mrs. Chong Mei04 Mar 2005 value the assets Ling, Mr. Daniel

Ariff

6.0 Step 5: Assessment of Threats (13 days : 07 Mar 2005-23 Mar 2005)

Output:1. Generic Threat Profile

2. Relevant Threats to Assets

6.1 07 Mar 2005- Creating MCABC • Discuss on which threats relevant to MCABC Mrs. Chong Mei09 Mar 2005 Profile MCABC as a whole Ling, Mr. Daniel

• Create the threat profiles Ariff

6.2 10 Mar 2005- Assessing Threats • Discuss on which are relevant to the MCABC Mrs. Chong Mei23 Mar 2005 agreed scope and assets Ling, Mr. Daniel

• Create a threat list for the agreed scope Ariff

7.0 Step 6: Assessment of Vulnerabilities (10 days: 24 Mar 2005-06 Apr 2005)

Output:1. List of Potential Vulnerabilities

7.1 24 Mar 2005-06 Assessing • Discuss on which vulnerabilities are MCABC Mrs. Chong MeiApr 2005 Vulnerabilities relevant to the agreed scope and assets Ling, Mr. Daniel

• Create a vulnerability list for the agreed scope Ariff

Chapter 5 - 68

Case Study

MyR

AM

Handbook

MAM

PU

MyRAM/Form/S1-2.0

No.Activity

Date Task DetailsVenue SRA Team

8.0 Step 7: Identification of Existing and Planned Safeguards (03 days : 07 Apr 2005-11 Apr 2005)

Output:1. Existing & Planned Safeguards or Controls

8.1 07 Apr 2005- Identifying • Discuss on which Safeguards have been MCABC Mrs. Chong Mei11 Apr 2005 Safeguards implemented Ling, Mr. Daniel

• Discuss on which safeguards will be Ariffimplemented

• Create a safeguard list for theagreed scope

9.0 Step 8: Analysis of Impact (04 days: 12 Apr 2005-15 Apr 2005)

Output:1. Impact Level List

9.1 12 Apr 2005- Determining Impact • Discuss on impacts to the business MCABC Mrs. Chong Mei15 Apr 2005 • Discuss on impact levels Ling, Mr. Daniel

• Create an impact level list for the agreed scope Ariff

10.0 Step 9: Analysis of Likelihood (03 days : 18 Apr 2005-20 Apr 2005)

Output:1. Likelihood List

10.1 18 Apr 2005- Determining • Discuss on likelihood of threats manipulating MCABC Mrs. Chong Mei20 Apr 2005 Likelihood vulnerabilities with current safeguards in placed Ling, Mr. Daniel

• Discuse on likelihood levels Ariff• Create a likelihood level list for the agreed scope

Chapter 5 - 69

Case Study

MyR

AM

Handbook

MAM

PU

MyRAM/Form/S1-2.0

No.Activity

Date Task DetailsVenue

11.0 Step 10: Calculation of Risk (21 Apr 2004-22 Apr 2005)

Output:1. Risk Matrix List

11.1 21 Apr 2005- Calculating Risk • Discuss on risks associated to agreed scope MCABC Mrs. Chong Mei22 Apr 2005 • Discuss on risk levels Ling, Mr. Daniel

• Create a risk level list for the agreed scope Ariff

12.0 High-Level Recommendations (15 days : 25 Apr 2005-14 May 2005)

Output:1. Decision on Options2. Protection Stategy

3. Summary Report on RA Activity

12.1 25 Apr 2005- Analyzing Results • Discuss on results of risks obtained MCABC Mr. Azizan03 May 2005 Abdullah, Mr. Rajesh

Kumar, Mrs, ChongMei Ling,

Mr. Daniel Ariff

12.2 04 May 2005- Deciding on • Discuss on options for the risks identified MCABC Mr. Azizan11 May 2005 Options • Create a write-up on the options with Abdullah, Mr. Rajesh

justifications Kumar, Mrs, ChongMei Ling,

Mr. Daniel Ariff

12.3 12 May 2005- Writing a Report • Write a final report on the whole activity MCABC Mr. Azizan14 May 2005 • Present findings to the management Abdullah, Mr. Rajesh

Kumar, Mrs. ChongMei Ling,

Mr. Daniel Ariff

Prepared by: Reviewed by: Approved by:

(Mrs. Chong Mei Ling) (Mr. Rajesh Kumar) (Mr. Azizan Abdullah)Team Leader Project Manager Project Advisor

Notes: The sign-offs should be with the official stamp.

SRA Team

Chapter 5 - 70 Case Study

MyRAM Handbook

MAM

PU

Step 2: Establishment of Review Boundary

The RA team discovered that the standard operating procedures (SOP) for the department is not up-to-date. This means that the team needs to interview the Senior Manager of the Billing unit to gather allthe information needed in order to understand the processes involved thoroughly. Examples of the documentsneeded are: Standards Operating Procedures, Manual Prosedur Kerja (MPK), process flows, securitypolicies, departmental structure, network design/topology and assets related information. The informationobtained from the documents above will be used during information gathering to obtain the scope orreview boundary of the risk assessment exercise.

It has been decided that this initial RA will only cover the “Customer Billing” process of the entirebilling activities. This is justified by the fact that it is the main source of revenue.

After looking at the details of the scope, it is decided that the RA team will remain as is, and the ReviewBoundary Document was produced and approval was obtained.

The following is an example of a Review Boundary Document.

Chapter 5 - 71Case Study

MyRAM Handbook

MAM

PU

Table of Content pageAcronymsList of FifuresList of Table

1.0 Purpose

The purpose of this document is to obtain senior management’s approval to conduct a risk assessment(RA) exercise within the scope proposed in this Review-Boundary Statement.

2.0 Background of Review Boundary

A sope was established in the My RAM proposal. The recommended scope covers risk assessmentprocesses and activities for the MCABC. This Review-Boundary Statement falls under the secondstage of the risk assessment, which covers the Risk Analysis and Computation. This document isone of the three outputs from step 2: Establishment of Review-Boundary. The other two outputsare list of Related Materials Used and List of Questionnaires with Findings.

The Review-Boundary Statement will assist the risk assessment team in assessing risks withinthe established boundary to reduce ambiguity on items such as extensiveness of the list of assetsinvolved and their dependencies.

This statement is also a refinement of the scope stated in the MyRAM proposal. Contents of thisReview-Boundary Statement provide information on key business processes and functions, supportingbusiness processes, external interfaces, personnel, ICT assets, and information on sites/buildingswithin the boundary.

3.0 Review Boundary Statement

The scope after refinement of the review boundary is stated as:

“The provison of a secure and resilient IT infrastructure in supporting the operations of MCABCbusiness functions in providing customer billing services.

4.0 Key Business Processes and Functions

The critical business process or funtion confined by the scope is:

Customer Billing

At each billing cysle, the system will prompt the operator for bill generations.With theinformation retrieved from the IMS database, the system will computer the charges andupted the payment information. The customers will receive hard copies of their bills at theend of each billing cycle. The printed bills will be sent to an outsourced mail party to besorted into envelopes and mailed to the customers. The sales summary will be posted tothe Finance department and will be stored in the ERP system.

Chapter 5 - 72 Case Study

MyRAM Handbook

MAM

PU

5.0 Supporting Business Processes

Document the related supporting processes or functions for the identified scope:

Supporting Business Security ResponsibilitiesProcesses

Legal Division The Legal Division is responsible in ensuring that the legal systemof the Council is enforced fairly and justly at all times, providingunderstanding and explanation of the laws of the council to its staffso as action taken is in line with the legal provisions, as well ensuringthat the public is aware of the laws and abide to them.

Management Services This department has to manage and administer the CouncilDepartment efficiently and effectively in line with Government Policies and

the State and Federal levels. In order to accomplish the tasks trustedto the department, the standards of services and efficient amongststaff must be evaluated periodically, and an implementation of amanagement system must be completed. In ensuring the smoothnessof the operations of the Council, the computer information systemmust be coordinated.

Property Management The first objective of this department is to value new propertiesand Valuation and to check existing properties in order to achieve a higherDepartment year-to-year collection goal. The second objective is to manage

the rentals of stalls and buildings built by MCABC. The next objectiveis to establish tax rates for holding types.

IT Department The internal network serves as the platform or enable for the effectiveoperation of the in-scope business functions. The securityresponsibilities of the IT unit in which the in-scope business functiondepends on are provision of a secure and resilient IT infrastructure.As such, the department is responsible in supporting the deployment,operations, and maintenance of the IT infrastructure. They are alsoresponsible in protecting MCABC from malicious software, andimplementing security controls at the netweork and transport level.

Engineering Responsible in maintaining and establishing recreation andDepartment tourism areas through development projects. The department is also

tasked to implement public facility projects in strategic areas aswell as to monitor existing and future development accounding toexisting acts.

Chapter 5 - 73Case Study

MyRAM Handbook

MAM

PU

6.0 External Interfaces

External Interfaces are third parties involved and work with the organisation.

External Interfaces Descriptions

System integrator Provides consultation, deployment and integration of the applicationsystem of MCABC, e.g. IMS for Billing

Network integrator Offers integrated solutions to network integration. Provide fundamentaland tactical planning, implementation, operation, apart from supplyof telecommunication equipment.

Technology partners Provides consultation, deployment, and maintenance of thetelecommunication network. This may include onsite configuration,field engineering, and maintenance of the network.

7.0 Personnel

The organizational structure involves six (6) personnel from the Billing Unit. The following depictsthe reporting structure.

FINANCE — Director

Billing Unit(Senior Manager)

Corporate Finance(Senior Manager)

Accountant

Manager

BillingAdministrator/

Executive Officer

Clerk Clerk

Figure 1: Billing Unit Reporting Structures

Chapter 5 - 74 Case Study

MyRAM Handbook

MAM

PU

8.0 Information Assets

This section describes data/information that is processed, stored, transmitted, and created duringthe execution of the in-scope business functions. Note that this is only a overview on the informationassets. Refer Table 1.

Table 1: Information Assets and Descriptions

No. Information Assets

1. The detail information in the billing cycle. The data/information retrieved fromthe IMS database, the system will compute the charges and update the paymentinformation.

2. The detail information of the customer that deals with MCABC.

9.0 Sites/Buildings

The primary and only site for attaining the in-scope business function that has been defined isMCABC Centre.

10.0 Conclusion

The detail risk assessment scope is the customer billing cycle. Supporting business processes andexternal interfaces involved in this scope are identified and assessed as well. Information/Dataused in this cycle are documented. this Review Boundary statement is approved by the highestauthority in this department signifying the commitment and approval of the senior managementthrough out the detail RA exercise.

Prepared by: Reviewed by: Approved by:

(Mr. Rajesh Kumar) (Mr. Azizan Abdullah) (Mr. Hassan Muhammad)Project Manager Project Advisor Yang DiPertua

Note: The sign-offs should be with the official stamp.

Chapter 5 - 75Case Study

MyRAM Handbook

MAM

PU

MyRAM/Form/S2-2.0

List of Related Materials Used:

Name Description

Billing Standard Operating Standard operating procedures and the processes for the billingProcedure (SOP) system used.

Billing Manual Manual for the application used.

Contract between MCABC Contracts with vendors for hardware components of thewith SAS Sdn. Bhd. system.

Fail Meja Director of Contain core business processes of the agency and theirFinance descriptions.

Manual Prosedur Kerja Contain business processes of the agency, their businessFinance Department process flows and related task descriptions.

Prepared by: Approved by:

(Mr. Chong Mei Ling) (Mr. Rajesh Kumar)Team Leader Project Manager

Note: The sign-offs should be with the official stamp.

Chapter 5 - 76 Case Study

MyRAM Handbook

MAM

PU

The RA team answered the questionnaires. However, some of the questions had to be forwarded tothe Billing Administrator, the Senior Manager of Billing, Manager of Billing Unit, Director of ITDepartment, ICTSO, Director of Finance Department and Director of the Management ServicesDepartment. Below is the list of the findings:

MyRAM/Form/S2-3.0

List of Questionnaires with Findings:

No. Security Policy Questions Answers Remarks By Who(Function or

Name-IfApplicable)

1. Is there a written policy document No, there is not. Planning to Mr. Hakim Tarmizi-available to ALL company There are only develop a Director ofemployees responsible for policies for certain corporate Informationinformation security? units in this wide policy. Technology

agency. Department

2. Is there a defined review process, No, there is no Mr. Hakim Tarmizi-including responsibilities and review process Director ofreview dates, for maintaining the available. Informationpolicy document? Technology

Department

3. Does the policy have a clear No, the policies do Mr. Hakim Tarmizi-owner? not clearly state the Director of

owners. InformationTechnologyDepartment

Chapter 5 - 77Case Study

MyRAM Handbook

MAM

PU

No. Organizational Security Answers Remarks By WhoQuestions (Function or

Name-IfApplicable)

1 Does a high level information Yes, even Existed since Mrs. Chong Meisecurity steering forum exist though it is end 2002. Ling- ICTSOwithin the Company, to give not beenmanagement direction and formalized.support?

2 Which of the following does Only (d) All security Mrs. Chong Meithe information security intiative need Ling- ICTSOsteering forum address? to get an

endorsementa) Review of company from this forum

policy before it isstarted.

b) Monitoring threats toassets

c) Review of securityincidents

d) Approval of securityinitiatives

3 Are specialist information Yes, This is Mrs. Chong Meisecurity advisers (internal or done on project Ling- ICTSOexternal) consulted to ensure basis.consistent and appropriatesecurity decision-making andensure the proper developmentin-house skills?

4 Do you understand the Not really. He is still new Mrs. Chong Meidifferences between a threat in ICT risk Ling- ICTSOvs. a vulnerability? assessment

area.

5 What is the most common Virus attacks. Mrs. Chong Meitype of threats in your Ling- ICTSOorganization?

6 Are there standard I am unsure. Had never Mrs. Chong Meiprocedures in handling these established any Ling- ICTSOthreats? procedures

related to thisissue.

MyRAM/Form/S2-3.0

Chapter 5 - 78 Case Study

MyRAM Handbook

MAM

PU

MyRAM/Form/S2-3.0

No. Asset Classification and Answers Remarks By WhoControl Questions (Function or

Name-IfApplicable)

1 Is there any inventories No Mr. Azizan Abdullahmaintained of hardware, Director of Financesoftware and data assets? Department

2 Do assets have a nominated Yes Thinking of IT Mr. Azizan Abdullahowner? Dept should Director of Finance

be the owner. Department

3 How do you safeguard your No defined Mrs. Chong Meivital information? method is Ling-ICTSO

available.It is up to theperson-in-charged.

No. Personnel Security Answers Remarks By WhoQuestions (Function or

Name-IfApplicable)

1 Do all job descriptions within Only for the Mr. Aqmalthe organization define the management Hanafi-relevant security level. Director ofresponsibilities? Management

ServicesDepartment

2 Is a check for completeness It is checked Mr. Aqmalof the applicant’s curriculum by the Hanafi-vitae carried out? department Director of

that wants to Managementhire and usually Servicesthrough JPA. Department

Chapter 5 - 79Case Study

MyRAM Handbook

MAM

PU

MyRAM/Form/S2-3.0

No. Physical and Answers Remarks By WhoEnvironmental Security (Function or

Questions Name-IfApplicable)

1 Which of the following have Basically all Mr. AdamNOT been considered with mentioned Razman-respect to working in a heve been Seniorsecure area? considered. Manager of

However, no Billing Unita) Known on Need To formal policies

Know Basis or procedureshave been

b) Supervised Working written down.

c) Vacant Secure AreasLocked

d) Third Party StaffRestricted

e) No RecordingEquipment Allowed

2 Can the organization’s No There is Miss Dianaproperty be removed procedure Albert-without formal authorization? in handling Billing

of property Administratorremoval.

3 Is sensitive data and No Never thought Miss Dianalicensed software totally it is important Albert-erased from equipment to do. Billingprior to disposal? Administrator

Chapter 5 - 80 Case Study

MyRAM Handbook

MAM

PU

MyRAM/Form/S2-3.0

No. Communication and Answers Remarks By WhoOperation Management (Function or

Questions Name-IfApplicable)

1 Which of the following has Items (b) and Miss Dianabeen taken care of for the (c) have not Albert-operations of the Company? been looked at Billing

a) documented operating There are Administratorprocedures operating

b) operational change procedures butcontrol not all have been

c) incident management documented.procedures

d) segregation of dutiesseparation ofdevelopment andoperational facilities

e) external facilitiesmanagement

2 Are there any controls against Anti-virus Miss Dianamalicious software (e.g. policy programs are Albert-anti-virus, regular reviews of installed. Billingthe software, procedures Administratorand responsibilities to dealwith the virus protection onsystems etc.)?

3 Which of the following There are Miss Dianahousekeeping measures are back-ups Albert-carried out to maintain the and operator Billingintegrity and availability of logs Administratorservices?

a) Regular data back-upcopies

b) Operator logs of allwork

c) Logging and reportingof faults

4 Are exchanges of data and No. Data are Miss Dianasoftware with other exchanged Albert-organisations formally freely. However, Billingcontrolled? certain people Administratora) Data exchange agreements can only access & Mr. Rajeshb) Security of media in transit critical data. Kumar-c) Security of EDI Managerd) Security of Email of Billinge) Security of Electronic Unit

officef) Publicly available systemsg) Voice/fax/video

communications

Chapter 5 - 81Case Study

MyRAM Handbook

MAM

PU

MyRAM/Form/S2-3.0

No. Access Control Answers Remarks By WhoQuestions (Function or

Name-IfApplicable)

1 Are system assess and use There is Miss Dianamonitored? system access Albert-

to enter the Billingbilling system Administratorbut thereis no regularmonitoring

No. Systems Development and Answers Remarks By WhoMaintenance Questions (Function or

Name-IfApplicable)

1 Do statements of business Seldom Usually Mr. Rajeshrequirements for new systems, being done in Kumar-or enhancements to existing reactive way. Manager ofsystems, specify the Billingrequirements for controls? Unit

2 When procuring programs/ It is up to the Mr. Rajeshsoftware, are appropriate vendors. Kumar-steps taken to minimize the Managerrisk of inclusion of covert of Billingchannels and Trojan code? Unit

No. Business Continuity Answers Remarks By WhoManagement Questions (Function or

Name-IfApplicable)

1 Is there a managed process in Manual Mr. Aqmalplace for developing and billing Hanafi-maintaining business process is in Director ofcontinuity across the placed. Managementcompany? Service

Department

Chapter 5 - 82 Case Study

MyRAM Handbook

MAM

PU

MyRAM/Form/S2-3.0

No. Compliance Questions Answers Remarks By Who(Function or

Name-IfApplicable)

1 Which of the following are Maintenance Mr. Azizanabsent from the procedures/ of software is Abdullahinstructions, or are being up-to-date. Director offollowed by staff? Finance

Departmentb) Copyright policy

c) Acquisition procedures

d) Copyright awarenessinformation

e) Maintenance of licenses

f) Checks on software held/used

g) Policy on softwaredisposal

h) Compliance with licenses

Chapter 5 - 83Case Study

MyRAM Handbook

MAM

PU

Step 3: Identification of Assets:

Assets owned by the agreed scope or review boundary must now be identified. The team needs to gatheral the assets involved in the billing process from the Billing unit. The Senior Manager as well as theBilling Administrator will be interviewed. The questions asked are related to:

1. The hardware and equipment used by the unit.

2. The owners and custodians of the hardware and equipment.

3. The software and applications used by the unit.

4. The owners and custodians of the software and applications.

5. The information or data stored/used by the unit.

6. The owners and custodians of the data/information.

7. The people involved with the billing process with their associated job title and functions.

All the assets identified then are grouped into the following categories:

1. Hardware.

2. Software.

3. Services.

4. Data/Information.

5. People.

Chapter 5 - 84

Case Study

MyR

AM

Handbook

MAM

PU

Below is the gathered information:

List of AssetsMyRAM/Form/S3-1.0

No. Asset Group Asset ID Asset Name Owner Custodian Location Description of Asset

1. Hardware H.BD0001 SUN Fire E420R Director of Senior Billing Application server that hosts the IMS application.Finance Manager

2. Hardware H.BD0002 SUN Fire V880 Director of Senior Billing Database server that hosts the customer database.Finance Manager

3. Hardware H.BD0003 Firewall Director of Senior Billing Firewall used to protect the billing network segment.Finance Manager

4. Hardware H.BD0004 Workstations – 3 Director of Senior Billing Workstations used in the billing department.units Finance Manager

5. Software S.BD0001 IMS server Director of Senior Billing The billing application itself on the application server.application Finance Manager

6. Software S.BD0002 IMS client Director of Senior Billing The billing application itself on the workstations.application Finance Manager

7. Software S.BD0003 Oracle 8 database Director of Senior Billing The database application itself.Finance Manager

8. Software S.BD0004 Solaris 8 operating Director of Senior Billing The operating system used on the application andsystem Finance Manager database servers.

9. Services SE.BD0001 MCABC LAN Director of Senior Billing/IT Transfer of billing data.(Accessibility Finance ManagerServices)

Chapter 5 - 85

Case Study

MyR

AM

Handbook

MAM

PU

No. Asset Group Asset ID Asset Name Owner Custodian Location Description of Asset

10. Services SE.BD0002 Air-conditions – 3 Director of Senior Billing/IT Ensure servers will be running continuously with the(Supporting units Finance Manager right temperature.Services)

11. Data/ D.BD0001 Billing cycle Director of Senior Billing The details on billing eventInformation details Finance Manager

12. Data/ D.BD0002 Customer Director of Senior Billing Information on the customer that resides in theInformation information Finance Manager database server

13. People P.BD0001 Senior Council Director Billing Overlook operations of billing departmentManager Chief

14. People P.BD0002 Manager Council Senior Billing Assist the Senior Manager in day to day jobChief Manager

15. People P.BD0003 Billing Admin Council Manager Billing An administrator for the billing departmentChief

16. People P.BD0004 Accountant Council Manager Billing Responsible for making sure that the accounts areChief balanced and up to date

17. People P.BD0005 Clerks – 2 Council Manager Billing Taking care of the administration work for thepersonnel Chief department like ordering stationeries and others.

Prepared by: Reviewed by: Approved by:

_____________________ _____________________ _______________________(Mrs. Chong Mei Ling) (Mr. Rajesh Kumar) (Mr. Azizan Abdullah)

Team Leader Project Manager Project Advisor

Note: The sign-offs should be with the official stamp.