Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Case Study Publicly Traded Company with 3,000 employees IT Department with 55 Th

ID: 3725066 • Letter: C

Question

Case Study

Publicly Traded Company with 3,000 employees IT Department with 55 There is NO dedicated security staff but 2 operations staff provide this “capability” in IT IT is centralized, mix of Cloud and on premise systems and utilizes Microsoft products There are more project requests than resources (either fiscal or human) to fulfill the requests Since 2009 there has been a “hold” on new purchases or significant upgrades There seems to be little desire to upgrade large systems even though they are over 10 years old Firewall infrastructure is aging (over 9 years old).

Your company has had a few “defacement” issues with an extranet website that your vendors use to do business with you. The website is based on old asp code and the vendor has not updated the site or the code in over 8 years. There are known cross-site scripting and SQL injection vulnerabilities in the site but to date only easily corrected defacement of the site has occurred. You have a planned upgrade for this software, including the website interface but that will not be implemented for 18 months. The Vendor is of little assistance and the contract in place is over 10 years old and provides no protections or language that you can use to force the Vendor to fix the vulnerability. You are fairly certain that a breach will occur, that it is only a matter of when. The website is critical to your business function and the business unit is not willing to shut down the website as the resulting manual labor would be extensive.

1. What do you as the CIO put in place to protect the organization within the parameters provided? How and to whom do you communicate the issue(s) to?

2. You understand that the site has known vulnerabilities as the defacement indicates and you understand that it would be brand and marketing nightmare if the site is compromised. You also understand there is no allocated funding to replace or even fix the site. How do you assess the situation?

3. Do you have any options with the Vendor? If yes, then what are they and how do you proceed with moving forward? Is this a systemic issue? Are there other technology issues that you need to address? If so, what are they and how would you address them?

4. If a breach occurs, how will you handle the “during and after” phases in terms of action items, time frames and communications?

Explanation / Answer

1. As it take 18 months to upgrade the existing software, its the duty of Chief Information Officer (CIO) to communicate with both the vendors and end users of the website and has to make a plan of action. He has to communicate with web developeres of the vendor side and alert them about the cross-site scripting and SQL injection vulnerabilities. A strong firewall can reduce the risk up to a certain level. Alert mechanism can be implemented.

2. In this scenario, timely upgarde is necessary and both functional and technical team has to be made alert. They have to immediately start for an upgrade with periodic upgradation. Shadow server can be placed to minimise the vulnerability. If there is not enough funding, utilise the available resources and make an efficientb plan. giving priority to security is utmost importance to any organisation and do all the things that make sure website security is not compromised.

3. Ask vendors to deploy latest Internet Explorer version in order to secure the code from client side.This enables httponly service and vulnerability can be reduced. Upgrade has to be kick-off and primary instance has to be upgraded. Ask the vendors to deploy latest security packs. Yes its a systemic failure and before business gets updated required measures hs to be taken.

4. If breach occurs secure the data by taking both off-line nad on-line backups and deploy them on other servers. Database team along with other technical teams have to be alerted and minimise the breach. Remove the malicious code by running security checks. Validation as to be done. it verifies verify that the data on your application has received falls within constraints that you define to ensure it does not contain anything unreasonable, unnecessary or malicious. Involve vendor tem and coordinate them with clients.

Related Questions

Case Study III - Hillchurch Council Hillchurch Council is faced with the problem
Question #468510
Case Study III - Hillchurch Council Hillchurch Council is faced with the problem
Question #468545
Case Study III: Health Screening and Analysis and Interpretation of GXT Data Joh
Question #90835
Case Study III: Health Screening and Analysis and Interpretation ofGXT Data John
Question #3483369
Case Study Identifying Factors: Carmen Matthews is a 41-year-old separated Hispa
Question #248905
Case Study Imagine you read about a study that claims there is a link between ta
Question #3043817
Case Study In December 2016, Arshad Ali joined Imperial Computers Ltd. (ICL) as
Question #325522
Case Study In December 2016, Arshad Ali joined Imperial Computers Ltd. (ICL) as
Question #327818
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
Case Study Progress Chart View Lab Values Cardiac Markers CK-MB 2.3% CPK 101 IU/
Next
Case Study Q. WD Indistries and Pearsall Pumps. In October 2015, WD Industries (

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.