Risk Management Case Study

Challenger Constructions Case Study

Challenger Constructions Ltd is a building and construction company located in regional New South Wales. It has a number of separate, but related divisions:

• Design and consultancy services,
• Earthworks and site preparation,
• Commercial construction,
• Home building and renovation, and a
• Painting and decorating division.

The company has a small data centre at its main site in Orange where the company’s servers and data storage is located. The company has some 300 staff, of whom 50 work in the Orange and Bathurst offices. These 50 staff include management, administrative staff and design and consultancy staff. The remaining staff mainly work on different construction sites. The company has two dedicated IT staff to maintain their IT assets and network. The company has a range of different types of personal computers, which run a mixture of Windows 10 and Windows 7 Enterprise, to connect to the company data centre. The company also has 3 MacBook laptops running OS X.

The different construction division foremen communicate with the company using a number of iPads. These are used to update project management schedules and details and to take photos of the progress of various constructions. These iPads are kept by the different foremen and are often also used for personal communications and web access.

The company does not have a clear patching and update policy. As a result most servers and desktop machines are patched on an ad-hoc basis and as time, and operations, permit. The patching and/or updating of the company’s iPads has not been considered.

The company’s IT staff are responsible for the management of the server infrastructure and company network. But effective administration is somewhat hampered by the fact that the administrative passwords are generally well-known across the company. Company employees enjoy free, open, unrestricted access to the Internet, but realistically they only need to access certain websites on the Internet. Company management would like to minimise the cost of accessing web resources.

The company consists of the following divsions:

• Design and consultancy staff (15 people)
• Systems administration (2 people)
• Management (6 people)
• Human Resources & Legal (3 people)
• Finance (3 people)
• Administration (2 people)
• Challenger Constructions earthworks, building and painting staff (270 people)

There are no formal onboarding and offboarding processes in the organisation. There is close to no policy framework in the organisation.

Infrastructure

The company uses several servers to conduct its core business. The company has the following

server infrastructure:

• 2 x Active Directory domain controllers on Windows Server 2012 R2;
• 3 x SQL Server 2012 database servers on Windows Server 2012;
• 1 x Exchange 2013 email server on Windows Server 2012 R2;
• 4 x Windows Server 2016 File and Print servers;
• 2 x Red Hat Enterprise Linux v7.1 servers running Apache TomCat v7.0.

Each of these servers are independent machines with relatively vanilla installs of their respective operating systems. None of the company’s servers are running the latest operating systems nor have they been recently patched. Most application servers, such as Exchange and SQL Server, are also outdated. All servers have publicly accessible addresses and hence can be accessed from the Internet.

The servers are all commodity x86 servers that have been purchased as required. There are no maintenance contracts on either the hardware or any installed software. Most of the servers and desktops are over five years old.

Services and Data

The servers store the following;

• Home directories,
• Mail,
• Database objects for various development and production environments (for various

departments),

• Active Directory Meta Data Object,
• Customer Design project information directories,
• Earthworks planning and design data directories,
• Commercial design projects data directories,
• Home building and renovation projects data directories,
• Corporate Finance and Personnel Data,
• Web Page Data.
• Customer data,
• Market intelligence and strategic planning data.
• Other forms of Intellectual Property

Most services are only used within the company, however the company does have an internet presence via its web pages and mail server. Despite this some of the construction design planners work from home in the evenings and access some services from their home workstations, tablets or mobile devices. The construction foremen access the company’s data from work sites and from home each day. They also upload construction details and photos daily. You can assume there is no redundancy/ fail over in the disks hence if a disk goes bad, that data is lost and the service associated with it fails.

The most important data to the company, in order of importance, is:

• Corporate finance data
• Strategic planning data,
• Customer Design project data,
• Earthworks planning and design data,
• Commercial design projects data,
• Home building and renovation projects data,
• Personnel data,
• Web page data,
• Email,

The integrity of this data must always be preserved.

Administration

Most of the staff in the company are aware of the administration passwords for the servers and desktops. It should be noted that all users have accounts on the mail, database and database servers.

The administration of the servers tends to be haphazard. There are often storage issues with storage as disks fill up regularly. There are a lot of active but unused accounts for users who have now left the company. The company is dependent on its servers for continued access to services, but there are no monitoring systems in place.

External hackers have compromised some desktop machines in the past. The administrators are reasonably confident that the servers have not been compromised. That said, when a host is compromised; the administrators merely disable the hack and continue to allow the machine to be used. Most compromises are noticed too late, i.e. well after the hack has occurred.

Security

The company does not have a firewall or any other security system in place. Currently all services offered by the servers are accessible via the Internet. All servers, and most desktops have a basic anti-virus system in place, but it has not been updated recently. There is no anti-virus on the MacBooks as the company has been told that they “don’t get viruses”. There is no overall email virus protection in this company.

Backup and Disaster Recovery

The company does not have any backup or disaster recovery systems/ procedures.

Network and Physical Location

The servers and core network infrastructure are located in common workspace as other infrastructure and employees of the organisation. In addition to this the servers are on the same networks as user workstations and there is no network security. The company is connected to the Internet via a ADSL2 modem connected to a router. The router connects to a several 10mb hubs, which provide access to the staff (there is only one LAN). There is no external firewall. Individual Workstations & Passwords. Each employee has a desktop computer. Most of the computers are running a vanilla install of either Windows 10 or Windows 7 Enterprise that, in most cases, has not been patched since install. Employees often keep corporate data on these desktops in their home directory, which is not backed up.

In addition to this, everyone has administrator privileges to their workstation. As the environment is relaxed, a user can have accounts on other employee computers possibly using the same or different password.

The company has no hard and fast rules about passwords; in fact the most common password used is the person’s name. These passwords are also indicative of what is used on the server machines.

Read the Challenger Constructions case study document before attempting this assignment.

Tasks:

You have been employed by Challenger Constructions as their first ever Chief Information Security Officer (CISO). You have been tasked by the Board to conduct a review of the company’s risks. 

1. As the first step, you are to provide a Risk Register for Challenger Constructions. This risk register must contain, as a minimum: 
   1. A description of each risk identified for each IT asset, data set or process. 
   2. A summary of the impact or consequence to each IT asset, data set or process, if the identified risk was to arise. 
   3. The likelihood of this risk occurring.
   4. The inherent risk assessment (this is the assessed, raw/untreated risk inherent in a process or activity without doing anything to reduce the likelihood or consequence). 
   5. The key controls to mitigate the risk (NOTE: it is possible that there may be more than one (1) control needed. Each control should be listed on a separate line)
   6. The residual risk assessment(this is the assessed risk in a process or activity, in terms of likelihood and consequence, after controls are applied to mitigate the risk)
   7. Prioritisation of the risk (what is the priority order for the risks to be addressed).

Your Risk Register should be in table format using the following column headings:

• Risk
• Impact
• Likelihood
• Assessment
• Controls
• Residual Risk
• Priority

You should provide references in IEEE format, particularly for controls to be employed.

RATIONALE

This assessment task will assess the following learning outcome/s:

• be able to justify the goals and various key terms used in risk management and assess IT risk in business terms.
• be able to apply both quantitative and qualitative risk management approaches and to compare and contrast the advantages of each approach.
• be able to critically analyse the various approaches for mitigating security risk, including when to use insurance to transfer IT risk.