MORTGAGE FINANCE, INC.
Mortgage Finance, Inc. (MFI) is a mortgage loan company that manages thousands of accounts across the United States. A public company traded on the NYSE, MFI specializes in financial management, loan application approval, wholesale loan processing, and investment of money management for their customers.
The diagram below displays the executive management team of MFI:
Figure 1 MFI Executive Organizational
Chart BACKGROUND AND YOUR ROLE
You are the Chief Security Officer, hired by COO Kelly Smith, to protect the physical and operational security of MFI’s corporate information systems. Shortly after starting in your new position, you recognize numerous challenges that you will be facing in this pursuit.
Your primary challenge, as is usually the case, is less technical and more of a political nature. The CEO has been swept up in the “everything can be solved by outsourcing” movement. He believes that the IT problem is a known quantity and feels the IT function can be almost entirely outsourced at fractions of the cost associated with creating and maintaining an established internal IT department. In fact, the CEO’s strategy has been to prevent IT from becoming a core competency since so many services can be obtained from 3rd parties. Based on this vision, the CEO has already begun downsizing the IT department and recently presented a proposal to his senior management team outlining his plan to greatly reduce the internal IT staff in favor of outsourcing. He plans on presenting this approach to the Board of Directors as soon as he has made a few more refinements in his presentation.
COO Smith’s act of hiring you was, in fact, an act of desperation: the increasing operational dependence on technology services combined with a diminishing IT footprint gravely concerned Smith, and he begged to at least bring in an Information Security expert with the experience necessary to evaluate the current security of MFI’s infrastructure and systems. The COO’s worst nightmare is a situation where the Confidentiality, Integrity, and Availability of MFI’s information systems were compromised – bringing the company to its knees – then having to rely on vendors to pull him out of the mess.
COO Smith has reasons for worrying. MFI has experienced several cyber-attacks from outsiders over the past a few years:
network for several days. While infected, the Oracle and e-mail servers had to be shut down to quarantine these servers. COO Smith isn’t sure whether the virus entered MFI’s systems through a malicious email, from malware downloaded from the Internet, or via a user’s USB flash drive. Regardless of the source of the infection, the company lost $1,700,000 in revenue and intangible customer confidence.
It is apparent from the number of successful cyber-attacks that MFI is an organization severely lacking in information security maturity. COO Smith has commissioned you to perform a quantitative and qualitative risk assessment of MFI’s infrastructure to determine where improvements could be made to reduce the risk of future attacks.
The diagram on the following page displays MFI’s Corporate Office Topology.
The MFI network infrastructure consists of a corporate WAN spanning 20 remote facilities that are interconnected to the MFI headquarters’ central data processing environment. Data is transmitted from a remote site through a VPN gateway appliance that forms a VPN tunnel with the VPN gateway in headquarters. Through this VPN connection, remote office users access the internal Oracle database to update the customer data tables. Through your inspection of the VPN configuration you discover that the data transaction traversing the remote access connection to the corporate internal databases is not encrypted.
Users are authorized to work from home and both dial-up and VPN remote access are available. Dial-up is provided via Private Branch Exchange (PBX) and a Remote Access Server and VPN remote access is provided via the VPN gateway. Authentication is password-based via MS-CHAP V2. Users are also able to take advantage of MFI’s Bring Your Own Device (BYOD) policy and a Wireless antenna allows wireless networking within headquarters. WEP is used to provide wireless security to BYOD users.
The network perimeter between the Internet and MFI’s internal network infrastructure is separated by two
Border (Core) Routers. These Border Routers then connect to two Distribution Routers and the VPN Gateway. The Distribution Routers connect to a RAS Server, a Wireless Router that provides a bridge between the Wireless Antenna and the internal network, and two Multi-layer switches. The Multilayer switches connect to six (6) Access Layer VLAN switches that segregate the Accounting, Loan Dept, Customer Services, Mgmt, Credit Dept, and Finance VLANs. The Multi-layer switches also connect to a third Multi-layer switch that provides a connection to MFI’s servers in the Trusted Computing Base subnet.
The trusted computing based (TCB) internal network is situated in a physically separated subnet. A bulk of the data processing for MFI is handled by an Oracle database on a high end super computer located in the TCB and the TCB also contains an intranet web server used by the internal support team, a Software Update Services (SUS) server used for patch management, an internal DNS server, an e-mail server, and other support personnel workstations. Although each corporate department is segregated physically on a different subnet, they share access to the corporate data in the TCB network.
CONSIDERATIONS WHEN CONDUCTING THE RISK ASSESSMENT:
This Risk Assessment and your suggested security improvements are of critical importance. The CEO is set on outsourcing MFI’s IT competency and you’ve been told of a plan from COO Smith to outsource network management and security functions away from your department and over to a service integrator. COO Smith warns you that the political environment will only become more contentious over time; you must make a compelling case as to what value your department can bring over an integrator to provide security improvements in certain key areas without a significant increase to the IT budget. It is extremely important that you take into account the value of the assets being protected when selecting security controls to mitigate the risks (i.e. don’t spend $1000 to protect an asset worth $500). In addition to what you learned from COO Smith about the previous exploits of MFI’s vulnerabilities and what you gathered when reviewing MFI’s network infrastructure, COO Smith has provided some additional information that he wants you to take into account:
a significant spike in network traffic crossing into the internal networks. They report that they cannot be certain what or who is generating this traffic, but the volume and frequency of traffic is certainly abnormal. The management is very concerned over securing the corporate confidential data and customer information. Suggestions on improvements to perimeter security and/or methods of identifying the source of intrusions should be presented in your risk assessment.
You are given a fictional scenario above describing security issues affecting organizational assets. You will identify the risks associated with the assets and recommend mitigating procedures. You will prepare a quantitative / qualitative risk assessment to address risk factors on organizational assets. Your final paper will be 15–25 pages long in a Word document (double-spaced with 12-point font) with APA citations for the resources you used in your research and will be graded using the following rubric.
Criteria |
Non-compliant |
Minimal |
Compliant |
Advanced |
Executive summary of risk assessment. |
Did not include an executive summary. (0) |
Included an executive summary but lacks details. (3) |
Included an executive summary in details, but did not address the mission objectives. (7) |
Included an executive summary in details, and addressed mission objectives. (10) |
Inventory assets and prioritize them in the order of mission criticality. |
Did not inventory or prioritize assets in the order of mission criticality. (0) |
Inventoried assets but did not prioritize them in the order of mission criticality. (3) |
Inventoried, prioritized assets, but did not address mission objectives in their asset priority. (7) |
Inventoried, prioritized assets and addressed mission objectives in their asset priority. (10) |
Evaluate enterprise topology and perimeter protection. |
Did not evaluate enterprise topology and perimeter protection. (0) |
Evaluated enterprise topology but did not include perimeter protection measures. (3) |
Evaluated enterprise topology, perimeter protection measures, but did not address mission objectives. (7) |
Evaluated enterprise topology, perimeter protection measures, and addressed mission objectives. . (10) |
Evaluate remote access to the networks. |
Did not evaluate remote access protocols and safeguards to the network. (0) |
Evaluated remote access protocols but did not address security safeguards to the network. (3) |
Evaluated remote access protocols, security safeguards to the network, but did not address mission objectives. (7) |
Evaluated remote access protocols, security safeguards to the network, and addressed mission objectives. (10) |
Evaluate authentication protocols and methodologies. |
Did not evaluate authentication protocols and methodologies. (0) |
Evaluated authentication protocols, methodologies but with insufficient data or inadequate description. (3) |
Evaluated authentication protocols, methodologies with supporting data and description, but lacks mission objectives. (7) |
Evaluated authentication protocols, methodologies with supporting data, description; and addressed mission objectives. (10) |
Assign asset values to organization assets for quantitative / qualitative risk assessment. |
Did not assign asset values to organization assets for quantitative / qualitative risk assessment. (0) |
Assigned asset values to organization assets for quantitative / qualitative risk assessment but incomplete. (3) |
Assigned asset values to organization assets in a complete assessment, but did not address mission objectives. (7) |
Assigned asset values to organization assets in a complete assessment, and addressed mission objectives. (10) |
Assess vulnerabilities on each asset and impacts if compromised. |
Did not assess vulnerabilities on each asset and impacts if compromised. (0) |
Assessed vulnerabilities on each asset and impacts if compromised; but incomplete. (3) |
Assessed vulnerabilities on each asset and impacts if compromised; of complete inventory but did not address mission objectives. (7) |
Assessed vulnerabilities on each asset and impacts if compromised; of complete inventory and addressed mission objectives. (10) |
Evaluate web access protocols and vulnerabilities and Cloud Computing |
Did not evaluate web access protocols and vulnerabilities and Cloud Computing (0) |
Evaluated web access protocols and vulnerabilities or Cloud Computing. (3) |
Evaluated web access protocols and vulnerabilities and Cloud Computing but did not address mission objectives. (7) |
Evaluated web access protocols and vulnerabilities and Cloud Computing and addressed mission objectives. (10) |
Criteria |
Non-compliant |
Minimal |
Compliant |
Advanced |
Recommend risk mitigation procedures commensurate with asset values. |
Did not recommended risk mitigation procedures commensurate with asset values. (0) |
Recommended risk mitigation procedures commensurate with asset values, but incomplete. (3) |
Recommended risk mitigation procedures commensurate with asset values of complete inventory, but did not address mission objectives. (7) |
Recommended risk mitigation procedures commensurate with asset values of complete inventory, and addressed mission objectives. (10) |
Formulate 15-25 pages of a quantitative or qualitative risk assessment in APA format. |
Did not follow proper quantitative or qualitative risk assessment format, and failed to conform to APA format. (0) |
Followed proper quantitative or qualitative risk assessment format but did not conform to APA format. (3) |
Followed proper quantitative or qualitative risk assessment format and conformed to APA but insufficient reference list and page count. (7) |
Followed proper quantitative or qualitative risk assessment format and conformed to APA in a sufficient reference list and page count. (10) |
Assignment Writing Help
Engineering Assignment Services
Do My Assignment Help
Write My Essay Services