Utilizing your comprehensive security plan outline as a guide, write the enterprise technical infrastructure security plan for the organization.
Information Security Plan, Illustration using Amazon
1. Introduction
Information security plans could place enterprises in a state enabling them to avoid, transfer, acknowledge or evade risks centered on processes, people or technologies. Kouns and Minoli (2011) add that a properly grounded strategy also helps an institution to safeguard its integrity, integrity as well as confidentiality of information. This paper presents a security plan for Amazon Company.
2. Threat Profile
2.1 Asset Classification
2.1.1 Cloud server
Asset ID C.A 01 Cloud server
Attribute Description
Description Hosts tenant files and software utilities
Ownership Vice president operations
Location Internet
Security Classification
C Confidentiality Confidentiality impact assessment-very high
I Integrity Integrity impact assessment-high
A Availability Availability impact assessment-high
Value Corporate data store. Privacy agreements with tenants
WE WRITE PAPERS FOR STUDENTS
Tell us about your assignment and we will find the best writer for your project.
Get Help Now!2.1.2 Inventory Management System (IMS)
Asset ID C.A 03 IMS
Attribute Description
Description A software utility that keeps track of all I.T utilities in DM
Ownership I.T manager
Location I.T office
Security Classification
C Confidentiality Confidentiality impact assessment-high
I Integrity Integrity impact assessment-high
A Availability Availability impact assessment-high
Value Monetary value associated with the I.T assets
2.2 Threat Actors
2.2.1 TA. 01 Database hacker
Threat Actor Id TA. 01 Database hacker
Descriptions Fellows employed by some other enterprises (or driven by their individual interests) to explore the user-data validation pitfalls that surround back end databases.
Relationship: External Region of operation: unlimited
Motive: espionage
Capability: endowed with SQL programming skills and general functioning of web applications. Generally persistent.
Objectives: internal enterprise financial data, authentication details and hacking thrill
2.3 Threat Scenarios
2.3.1 T.S 01 View and share client private data
Threat campaign Steal cloud data
Threat scenario T.S 01 View and share client private data
Asset ID C.A 01 Cloud server
Phase Description
Reconnaissance The actor shares tenant’s data
Weaponaization The actor is authorized to view client data but intentionally violates the privacy agreements
Delivery Reveal the content cloud-featured data centers
Exploitation Enterprise data disclosed to competitor firms
Installation The actor copies and steals data resident on virtual machines
Command and control Not applicable
Actions and objectives Asset C.A 01 IMS compromised
Covering tracks Not applicable
2.3.2 T.S 02 Launch SQL injections
Threat campaign Compromise terminal databases
Threat scenario T.S 02 Launch SQL injections
Asset ID C.A 03 IMS
Phase Description
Reconnaissance The actor tries to access the terminal database of the inventory management system
Weaponaization The actor sends SQL injections to the terminal database
Delivery The actor uses the user input form fields associated with the target database
Exploitation The back-end database of the IMS is the tool to be compromised
Installation The terminal database receives and attempts to process the user query then becomes compromised
Command and control Not applicable
Actions and objectives Asset C.A 03 IMS compromised
Covering tracks Not applicable
3. Measures
3.1 Sharing of Client-Owned Private Data
Formulate privacy agreements and let clients consent to them
Train staff handling client data on the importance of privacy, highlighting the consequences of violating the same
3.2 Preventing SQL injections on the Inventory Management System
Hire more experienced developers able to leverage database programming skills like prepared statements and user input trimming to curb SQL injection
Train the end-users of the Inventory Management System on the best practices for feeding user inputs.
References
Kouns, J., & Minoli, D. (2011). Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams. Somerset: Wiley.
