1. Security Environment Assessment

2. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components  Applications  Overall Assessment - Compliance with Policy  Next Steps

3. Overview  Objective  Broad sweep to find significant strengths / weaknesses  Baseline - not final statement of vulnerabilities  Approach  Interviews  Review of system configurations  Automated assessment tools (GFI)  Examined policy, procedures, host systems, network infrastructure, and some applications

4. General Findings - Strengths  Linksys Router /Firewall protects the network perimeter  Mostly Standardized Intel Platform with an OS, of which is XP  Customer security requirements have positively influenced security awareness  Regulatory requirements dictate due diligence

5. General Findings - Weaknesses  External (e.g., Internet) access is not restricted i.e. (Filter inappropriate network traffic)  Critical Identified internal systems are not isolated  Production systems are not subject to configuration management  Security program lacking key components and scope necessary to effectively influence all systems  Security staff not required but security knowledge and emphasis lacking technical expertise to perform effective oversight of all systems  Policies not used to guide internal activities  Security responsibilities not well defined  Available technical features not used to best advantage

6. Policy / Procedures - Weaknesses  System specific practices not tied to top-level policy  User account / password management practices  Access control decisions  Workstation policy not clear; basic features not implemented  High level policies for internet usage etc… does not exist  Procedures well defined for systems not defined  Training / user awareness for system specific features not provided  Training / user orientation emphasizes personal responsibility does not exist  Incident detection and response not addressed

7. General Findings - Weaknesses (cont)  System specific procedures lacking  Security not integrated with business processes  Security responsibility for new systems and applications not well defined  Staff lacks technical expertise to effectively influence design of new systems

8. Policy/Procedures  Strengths  High level policy has good components  Training / user orientation emphasizes personal responsibility  Procedures well defined for mainframe systems  Weaknesses  System-specific practices not tied to top-level policy  User account/password/access practices not consistent  No provisions for incident detection / response

9. Host Systems  Strengths  Privileged access limited  Security enhancements being implemented on some systems  Weaknesses  Available features not used to best advantage  Technical vulnerabilities on many systems  Unnecessary services are available  Configuration not guided by security policy

10. Network Infrastructure  Strengths  Firewall/address translator limits external access  Router filters limit access within the network  Weaknesses  Network security responsibility not well defined; configuration not guided by a security policy  No capability for encrypted internal communications, remote access, or Internet links  Dial-up access not well controlled or secured

11. Applications  Strengths  Development and production environments are segregated  Application security features are used to restrict access  Weaknesses  Password management practices are inconsistent  Personal accountability is not always maintained

12. Overall Assessment -- Compliance with Security Policies  Comparison of observed practice with the published “Information Security Policy”  Policy does not influence security configuration / management of non-mainframe systems  Most policy statements have not been implemented consistently across the enterprise

13. Next Steps  Reaction to vulnerabilities/weaknesses  Recommend, prioritize, and implement fixes  Implementation of Internet and remote access solution  Validate design; implement technical fixes, policy, and procedures  Define network security enhancements  Refine requirements; select and implement solution