Answer & Explanation:Answer questions 6-10 found at the end of the powerpoint slides
codegalorecaselet_weeks_1_and_2__student_case_study_homework.ppt
instruction1.docx
Unformatted Attachment Preview
Code Galore Caselet:
Using COBIT® 5 for Information Security
Disclaimer
ISACA has designed and created the Code Galore Caselet : Using COBIT® 5 for Information
Security (the ‘Work’) primarily as an educational resource for educational professionals. ISACA
makes no claim that use of any of the Work will assure a successful outcome. The Work should
not be considered inclusive of all proper information, procedures and tests or exclusive of other
information, procedures and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific information, procedure or test, security governance and
assurance professionals should apply their own professional judgment to the specific
circumstances presented by the particular systems or information technology environment.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
© 2013 ISACA. All rights reserved.
2
Reservation of Rights
© 2013 ISACA. All rights reserved. No part of this publication may be used, copied,
reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in
any form by any means (electronic, mechanical, photocopying, recording or otherwise)
without the prior written authorisation of ISACA. Reproduction and use of all or portions of
this publication are permitted solely for academic, internal and non-commercial use and
for consulting/advisory engagements, and must include full attribution of the material’s
source. No other right or permission is granted with respect to this work.
Provide Feedback: www.isaca.org/information_security_caselets
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
© 2013 ISACA. All rights reserved.
3
Acknowledgements
Researcher
• Krag Brotby, CISM, CGEIT, Brotby & Associates, USA
Board of Directors
• Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, International President
• Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice President
• Juan Luis Carselle, CISA, CGEIT, CRISC, Wal-Mart, Mexico, Vice President
• Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
• Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
• Vittal Raj, CISA, CISM, CGEIT, CFE. CIA, CISSP, FCA, Kumar & Raj, India, Vice President
• Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President
• Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice President
• Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President
• Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International President
• Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Director
• Krysten McCabe, CISA, The Home Depot, USA, Director
• Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich , Australia, Director
Knowledge Board
• Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Chairman
• Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
• Steven A. Babb, CGEIT, CRISC, Betfair, UK
• Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
• Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
• Anthony P. Noble, CISA, Viacom, USA
• Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Academic Program Subcommittee
• Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA, Chairman
• Umesh R. Hodeghatta, Xavier Institute of Management, India
• Joshua Onome Imoniana, Ph.D., CGEIT, Universidade Presbiteriana Mackenzie, Brazil
• Matthew Liotine, Ph.D., CBCP, CSSBB, MBCI, University of Illinois at Chicago, USA
• Nebil Messabia, Canada
• Kumar Srikanteswaran, CISA, CMA, PMP, India
• Sadir Vanderloot, CISA, CISM, CCNA, CCSA, NCSA, Sheffield Hallam University, Sweden
• Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
• Hiroshi Yoshida, Ph.D., CGEIT, CRISC, Nagoya Bunri University, Japan
© 2013 ISACA. All rights reserved.
4
Student Book
This caselet was developed to support
the Information Security Student Book:
Using COBIT® 5 for Information Security,
www.isaca.org/information_security_student_book .
© 2013 ISACA. All rights reserved.
5
Agenda
Company Profile – Code Galore
Background Information
The Problems
Your Role
Your Tasks
Figures
Notes
Questions
© 2013 ISACA. All rights reserved.
6
Company Profile – Code Galore
Profile
• Start-up company founded in 2005
• One office in Sunnyvale, California, USA
• 10 remote salespeople and a few with space at resellers’ offices
• Approximately 100 total staff; about one-third work in engineering
7
Background Information
What we do
Financials
Org. Structure
Operational
Industry
Products
Sales
8
Background Information – What We Do
What we do
Financials
Org. Structure
Operational
• Building a comprehensive business function automation
software that performs many functions (decision making in
approaching new initiatives, goal setting and tracking,
financial accounting, a payment system, and much more).
• The software is largely the joint brainchild of the Chief
Technology Officer (CTO) and a highly visionary Marketing
Manager who left the company a year ago
Industry
Products
Sales
9
Background Information – Financials
What we do
Financials
Org. Structure
Operational
Industry
• Financed 100% by investors who are extremely anxious to
make a profit.
• Investors have invested more than US $35 million since
inception and have not received any returns.
• The organization expected a small profit in the last two
quarters. However, the weak economy led to the cancellation
of several large orders. As a result, the organization was in
the red each quarter by approximately US $250,000.
Products
Sales
10
Background Information – Financials
What we do
Financials
Org. Structure
Operational
Industry
Products
Sales
• Code Galore is a privately held company with a budget of US
$15 million per year. Sales last year totaled US $13.5 million
(as mentioned earlier, the company came within US
$250,000 of being profitable each of the last two quarters).
• The investors hold the preponderance of the company’s
stock; share options are given to employees in the form of
stock options that can be purchased for US $1 per share if
the company ever goes public.
• Code Galore spends about five percent of its annual budget
on marketing. Its marketing efforts focus on portraying other
financial function automation applications as ‘point
solutions’ in contrast to Code Galore’s product.
11
Background Information – Org. Structure
Figure 1—Code Galore Organisational Chart
What we do
Financials
CEO
Org. Structure
CSO
VP, Business
Operational
Industry
Security
Administrator
Products
Sales
Accounting
Dir.
VP,
Finance
CTO
Sr. Financial
Analyst
Infrastructure
Mgr.
VP, Human
Resources
HR Manager
Sys. Dev. Mgr.
Sales Mgr
12
Background Information – Org. Structure
What we do
The board of directors:
Financials
• Consists of seasoned professionals with many years of
experience in the software industry
Org. Structure
• Is scattered all over the world and seldom meets, except by
teleconference
Operational
• Is uneasy with Code Galore being stretched so thin
financially, and a few members have tendered their
resignations within the last few months
Industry
Products
Sales
13
Background Information – Org. Structure
What we do
The CEO:
Financials
• Is the former chief financial officer (CFO) of Code Galore that
replaced the original CEO who resigned to pursue another
opportunity two years ago
Org. Structure
Operational
Industry
Products
Sales
• Has a good deal of business knowledge, a moderate amount
of experience as a C-level officer, but no prior experience as a
CEO
• As a former CFO, tends to focus more on cost cutting than on
creating a vision for developing more business and getting
better at what Code Galore does best
14
Background Information – Operational
What we do
•
Engineers perform code installations. The time to get the
product completely installed and customized to the
customer’s environment can exceed one month with costs
higher than US $60,000 to the customer.
•
Labour and purchase costs are too high for small and
medium-sized businesses. So far, only large companies in the
US and Canada have bought the product.
•
C-level officers and board members know that they have
developed a highly functional, unique product for which
there is really no competition. They believe that, in time,
more companies will become interested in this product, but
the proverbial time bomb is ticking. Investors have stretched
themselves to invest US $35 million in the company, and are
unwilling to invest much more.
Financials
Org. Structure
Operational
Industry
Products
Sales
15
Background Information – Industry
What we do
Financials
Org. Structure
Operational
Industry
Products
• Business function automation software is a profitable area
for many software vendors because it automates tasks that
previously had to be performed manually or that software
did not adequately support.
• The business function automation software arena has many
products developed by many vendors. However, Code Galore
is a unique niche player that does not really compete (at
least on an individual basis) with other business automation
software companies.
Sales
16
Background Information – Products
What we do
•
Financials
Org. Structure
Operational
Industry
•
The product is comprehensive—at least four other software
products would have to be purchased and implemented to
cover the range of functions that Code Galore’s product
covers.
Additionally, the product integrates information and
statistics throughout all functions—each function is aware of
what is occurring in the other functions and can adjust what
it does accordingly, leading to better decision aiding.
Products
Sales
17
Background Information – Sales
What we do
•
Financials
•
Org. Structure
Operational
Sales have been slower than expected, mainly due to a
combination of the economic recession and the high price
and complexity of the product.
The price is not just due to the cost of software
development; it also is due to the configuration labour
required to get the product running suitably for its
customers.
Industry
Products
Sales
18
The Problems
Acquisition
•
Code Galore is in many ways fighting for its life, and the fact that, four months ago, the
board of directors made the decision to acquire a small software start-up company,
Skyhaven Software, has not helped the cash situation.
•
Skyhaven consists of approximately 15 people, mostly programmers who work at the
company’s small office in Phoenix, Arizona, USA. Originally, the only connection between
your network and Skyhaven’s was an archaic public switched telephone network (PSTN).
Setting up a WAN
•
Two months ago, your company’s IT director was tasked with setting up a dedicated wide
area network (WAN) connection to allow the former Skyhaven staff to remotely access
Code Galore’s internal network and vice versa.
•
You requested that this implementation be delayed until the security implications of having
this new access route into your network were better understood, but the CEO denied your
request on the grounds that it would delay a critical business initiative, namely getting
Skyhaven’s code integrated into Code Galore’s.
19
The Problems – Overview
Information Security
• More recently, you have discovered that the connection does not require a password for
access and that, once a connection to the internal network is established from outside the
network, it is possible to connect to every server within the network, including the server that
holds Code Galore’s source code and software library and the server that houses employee
payroll, benefits and medical insurance information.
• Fortunately, access control lists (ACLs) limit the ability of anyone to access these sensitive
files, but a recent vulnerability scan showed that both servers have vulnerabilities that could
allow an attacker to gain unauthorised remote privileged access.
• You have told the IT director that these vulnerabilities need to be patched, but because of the
concern that patching them may cause them to crash or behave unreliably and because Code
Galore must soon become profitable or else, you have granted the IT director a delay of one
month in patching the servers.
20
The Problems – Overview
Bots
• What now really worries you is that, earlier today, monitoring by one of the security
engineers who does some work for you has shown that several hosts in Skyhaven’s network
were found to have bots installed in them.
Source Code
• Furthermore, one of the Skyhaven programmers has told you that Skyhaven source code
(which is to be integrated into Code Galore’s source code as soon as the Skyhaven
programmers are through with the release on which they are currently working) is on just
about every Skyhaven machine, regardless of whether it is a workstation or server.
21
The Problems – Overview
Code Galore vs. Skyhaven Employee knowledge
• Code Galore employees are, in general, above average in their knowledge and awareness of
information security, due in large part to an effective security awareness programme that you
set up two months after you started working at Code Galore and have managed ever since.
• You offer monthly brown bag lunch events in a large conference room, display posters
reminding employees not to engage in actions such as opening attachments that they are not
expecting, and send a short monthly newsletter informing employees of the direction in
which the company is going in terms of security and how they can help.
• Very few incidents due to bad user security practices occurred until Skyhaven Software was
acquired. Skyhaven’s employees appear to have almost no knowledge of information security.
• You also have discovered that the Skyhaven employee who informally provides technical
assistance does not make backups and has done little in terms of security configuration and
patch management.
22
Your Role
• Hired two years ago as the only Chief
Security Officer (CSO) this company
has ever had.
• Report directly to the Chief Executive
Officer (CEO).
• Attend the weekly senior management
meeting in which goals are set,
progress reports are given and issues
to be resolved are discussed.
• The Information Security Department
consists of just you; two members of
the security engineering team from
software are available eight hours
each week.
• 10 years of experience as an
information security manager, five of
which as a CSO, but you have no
previous experience in the software
arena.
• Four years of experience as a junior IT
auditor.
• Undergraduate degree in managing
information systems and have earned
many continuing professional
education credits in information
security, management and audit
areas.
• Five years ago, you earned your CISM
certification.
23
Your Role and the Business Units
• The focus here is not on a business unit, but rather on Code Galore as a whole,
particularly on security risk that could cripple the business.
• Due primarily to cost-cutting measures the CEO has put in place, your annual
budget has been substantially less than you requested each year.
• Frankly, you have been lucky that no serious incident has occurred so far. You know
that in many ways your company has been tempting fate.
• You do the best you can with what you have, but levels of unmitigated risk in some
critical areas are fairly high.
24
Your Role and the CEO, Ernest Wingate
• Mr. Wingate’s focus on cost cutting is a major reason that you have not been able
to obtain more resources for security risk mitigation measures.
• He is calm and fairly personable, but only a fair communicator, something that
results in your having to devote extra effort in trying to learn his expectations of
your company’s information security risk mitigation effort and keeping him advised
of risk vectors and major developments and successes of this effort.
25
Your Role and the IT Director, Carmela Duarte
• Code Galore’s IT director is Carmela Duarte. She has put a system of change control
into effect for all IT activities involving hardware and software.
• This system is almost perfect for Code Galore—it is neither draconian nor too lax
and very few employees have any complaints against it.
• You have an excellent working relationship with her, and although she is under
considerable pressure from her boss, the CTO, and the rest of C-level management
to take shortcuts, she usually tries to do what is right from a security control
perspective.
• She is working hard to integrate the Skyhaven Software network into Code Galore’s,
but currently, there are few resources available to do a very thorough job. She
would also do more for the sake of security risk mitigation if she had the resources.
• Carmela has worked with Code Galore since 2006, and she is very much liked and
respected by senior management and the employees who work for her.
26
Your Tasks
•
You believe that Code Galore’s (but not Skyhaven Software’s) security risk is well
within the risk appetite of the CEO and the board of directors.
•
You have a good security policy (including acceptable use provisions) and
standards in place, and you keep both of them up to date.
•
You have established a yearly risk management cycle that includes asset valuation,
threat and vulnerability assessment, risk analysis, controls evaluation and
selection, and controls effectiveness assessment, and you are just about ready to
start a controls evaluation when you suddenly realise that something more
important needs to be done right away (outlined in The Problem section).
© 2013 ISACA. All rights reserved.
27
Your Tasks – Qualitative Risk Analysis
Using the figure 4 template, you need to modify the qualitative risk analysis that you
performed six months ago to take into account the risk related to Skyhaven Software.
The major risk events identified during this risk analysis are shown in figure 2.
You must not only head this effort, but for all practical purposes, you will be the only
person from Code Galore who works on this effort.
© 2013 ISACA. All rights reserved.
28
Your Tasks – Qualitative Risk Analysis
•
Your revision of the last risk analysis will not only bring Code Galore up to date
concerning its current risk landscape, but will also provide the basis for your
requesting additional resources to mitigate new, serious risk and previously
unmitigated or unsuitably mitigated risk.
•
You may find that some risk events are lower in severity than before, possibly to
the point that allocating further resources to mitigate them would not be
appropriate. This may help optimise your risk mitigation investments.
•
To the degree that you realistically and accurately identify new and changed risk,
you will modify the direction of your information security practice in a manner
that, ideally, lowers the level of exposure of business processes to major risk and
facilitates growth of the business.
•
Failure to realistically and accurately identify new and changed risk will result in
blindness to relevant risk that will lead to unacceptable levels of unmiti …
Purchase answer to see full
attachment
Order a plagiarism free paper now. We do not use AI. Use the code SAVE15 to get a 15% Discount
Looking for help with your ASSIGNMENT? Our paper writing service can help you achieve higher grades and meet your deadlines.
Why order from us
We offer plagiarism-free content
We don’t use AI
Confidentiality is guaranteed
We guarantee A+ quality
We offer unlimited revisions