1) Code Galore is a startup software company facing financial difficulties due to slow sales and pressure from investors to become profitable. It recently acquired another small company, Skyhaven Software, in an effort to boost its prospects.
2) This has introduced new security risks to Code Galore's network as Skyhaven employees now have access and their systems contained malware. Additionally, Skyhaven's source code and practices are less secure.
3) As CSO, you must update Code Galore's risk assessment to account for these new risks and priorities the most serious for mitigation, given limited security resources. This will allow requesting additional funds needed to properly secure the company's operations and source code.
2. Products
Sales
Financials
Background Information
Building a comprehensive business function automation
software that performs many functions (decision making in
approaching new initiatives, goal setting and tracking, financial
accounting, a payment system, and much more).
The software is largely the joint brainchild of the Chief
Technology Officer (CTO) and a highly visionary Marketing
Manager who left the company a year ago
5
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Background Information – What We Do
Financed 100% by investors who are extremely anxious to make
a profit.
Investors have invested more than US $35 million since
inception and have not received any returns.
The organization expected a small profit in the last two
quarters. However, the weak economy led to the cancellation of
several large orders. As a result, the organization was in the red
each quarter by approximately US $250,000.
6
Background Information – Financials
What we do
3. Org. Structure
Operational
Industry
Products
Sales
Financials
Code Galore is a privately held company with a budget of US
$15 million per year. Sales last year totaled US $13.5 million
(as mentioned earlier, the company came within US $250,000 of
being profitable each of the last two quarters).
The investors hold the preponderance of the company’s stock;
share options are given to employees in the form of stock
options that can be purchased for US $1 per share if the
company ever goes public.
Code Galore spends about five percent of its annual budget on
marketing. Its marketing efforts focus on portraying other
financial function automation applications as ‘point solutions’
in contrast to Code Galore’s product.
7
Background Information – Financials
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
8
Background Information – Org. Structure
Figure 1—Code Galore Organisational Chart
CEO
CSO
4. VP, Finance
VP, Business
CTO
VP, Human Resources
Security
Administrator
Sales Mgr
Accounting
Dir.
Sr. Financial
Analyst
Infrastructure
Mgr.
Sys. Dev. Mgr.
HR Manager
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
The board of directors:
5. Consists of seasoned professionals with many years of
experience in the software industry
Is scattered all over the world and seldom meets, except by
teleconference
Is uneasy with Code Galore being stretched so thin financially,
and a few members have tendered their resignations within the
last few months
9
Background Information – Org. Structure
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
The CEO:
Is the former chief financial officer (CFO) of Code Galore that
replaced the original CEO who resigned to pursue another
opportunity two years ago
Has a good deal of business knowledge, a moderate amount of
experience as a C-level officer, but no prior experience as a
CEO
As a former CFO, tends to focus more on cost cutting than on
creating a vision for developing more business and getting
better at what Code Galore does best
Background Information – Org. Structure
10
What we do
Org. Structure
Operational
Industry
Products
6. Sales
Financials
Engineers perform code installations. The time to get the
product completely installed and customized to the customer’s
environment can exceed one month with costs higher than US
$60,000 to the customer.
Labour and purchase costs are too high for small and medium-
sized businesses. So far, only large companies in the US and
Canada have bought the product.
C-level officers and board members know that they have
developed a highly functional, unique product for which there is
really no competition. They believe that, in time, more
companies will become interested in this product, but the
proverbial time bomb is ticking. Investors have stretched
themselves to invest US $35 million in the company, and are
unwilling to invest much more.
11
Background Information – Operational
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Business function automation software is a profitable area for
many software vendors because it automates tasks that
previously had to be performed manually or that software did
not adequately support.
The business function automation software arena has many
7. products developed by many vendors. However, Code Galore is
a unique niche player that does not really compete (at least on
an individual basis) with other business automation software
companies.
Background Information – Industry
12
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
The product is comprehensive—at least four other software
products would have to be purchased and implemented to cover
the range of functions that Code Galore’s product covers.
Additionally, the product integrates information and statistics
throughout all functions—each function is aware of what is
occurring in the other functions and can adjust what it does
accordingly, leading to better decision aiding.
Background Information – Products
13
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Sales have been slower than expected, mainly due to a
combination of the economic recession and the high price and
complexity of the product.
8. The price is not just due to the cost of software development; it
also is due to the configuration labour required to get the
product running suitably for its customers.
Background Information – Sales
14
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Acquisition
Code Galore is in many ways fighting for its life, and the fact
that, four months ago, the board of directors made the decision
to acquire a small software start-up company, Skyhaven
Software, has not helped the cash situation.
Skyhaven consists of approximately 15 people, mostly
programmers who work at the company’s small office in
Phoenix, Arizona, USA. Originally, the only connection
between your network and Skyhaven’s was an archaic public
switched telephone network (PSTN).
Setting up a WAN
Two months ago, your company’s IT director was tasked with
setting up a dedicated wide area network (WAN) connection to
allow the former Skyhaven staff to remotely access Code
Galore’s internal network and vice versa.
You requested that this implementation be delayed until the
security implications of having this new access route into your
network were better understood, but the CEO denied your
request on the grounds that it would delay a critical business
initiative, namely getting Skyhaven’s code integrated into Code
Galore’s.
9. 15
The Problems
Information Security
More recently, you have discovered that the connection does not
require a password for access and that, once a connection to the
internal network is established from outside the network, it is
possible to connect to every server within the network,
including the server that holds Code Galore’s source code and
software library and the server that houses employee payroll,
benefits and medical insurance information.
Fortunately, access control lists (ACLs) limit the ability of
anyone to access these sensitive files, but a recent vulnerability
scan showed that both servers have vulnerabilities that could
allow an attacker to gain unauthorised remote privileged access.
You have told the IT director that these vulnerabilities need to
be patched, but because of the concern that patching them may
cause them to crash or behave unreliably and because Code
Galore must soon become profitable or else, you have granted
the IT director a delay of one month in patching the servers.
16
The Problems – Overview
Bots
What now really worries you is that, earlier today, monitoring
by one of the security engineers who does some work for you
has shown that several hosts in Skyhaven’s network were found
to have bots installed in them.
10. Source Code
Furthermore, one of the Skyhaven programmers has told you
that Skyhaven source code (which is to be integrated into Code
Galore’s source code as soon as the Skyhaven programmers are
through with the release on which they are currently working) is
on just about every Skyhaven machine, regardless of whether it
is a workstation or server.
17
The Problems – Overview
Code Galore vs. Skyhaven Employee knowledge
Code Galore employees are, in general, above average in their
knowledge and awareness of information security, due in large
part to an effective security awareness programme that you set
up two months after you started working at Code Galore and
have managed ever since.
You offer monthly brown bag lunch events in a large conference
room, display posters reminding employees not to engage in
actions such as opening attachments that they are not expecting,
and send a short monthly newsletter informing employees of the
direction in which the company is going in terms of security and
how they can help.
Very few incidents due to bad user security practices occurred
until Skyhaven Software was acquired. Skyhaven’s employees
appear to have almost no knowledge of information security.
You also have discovered that the Skyhaven employee who
informally provides technical assistance does not make backups
and has done little in terms of security configuration and patch
management.
18
The Problems – Overview
11. 19
Your Role
Hired two years ago as the only Chief Security Officer (CSO)
this company has ever had.
Report directly to the Chief Executive Officer (CEO).
Attend the weekly senior management meeting in which goals
are set, progress reports are given and issues to be resolved are
discussed.
The Information Security Department consists of just you; two
members of the security engineering team from software are
available eight hours each week.
10 years of experience as an information security manager, five
of which as a CSO, but you have no previous experience in the
software arena.
Four years of experience as a junior IT auditor.
Undergraduate degree in managing information systems and
have earned many continuing professional education credits in
information security, management and audit areas.
Five years ago, you earned your CISM certification.
The focus here is not on a business unit, but rather on Code
Galore as a whole, particularly on security risk that could
cripple the business.
Due primarily to cost-cutting measures the CEO has put in
place, your annual budget has been substantially less than you
requested each year.
Frankly, you have been lucky that no serious incident has
occurred so far. You know that in many ways your company has
been tempting fate.
You do the best you can with what you have, but levels of
12. unmitigated risk in some critical areas are fairly high.
Your Role and the Business Units
20
Mr. Wingate’s focus on cost cutting is a major reason that you
have not been able to obtain more resources for security risk
mitigation measures.
He is calm and fairly personable, but only a fair communicator,
something that results in your having to devote extra effort in
trying to learn his expectations of your company’s information
security risk mitigation effort and keeping him advised of risk
vectors and major developments and successes of this effort.
21
Your Role and the CEO, Ernest Wingate
Code Galore’s IT director is Carmela Duarte. She has put a
system of change control into effect for all IT activities
involving hardware and software.
This system is almost perfect for Code Galore—it is neither
draconian nor too lax and very few employees have any
complaints against it.
You have an excellent working relationship with her, and
although she is under considerable pressure from her boss, the
CTO, and the rest of C-level management to take shortcuts, she
usually tries to do what is right from a security control
perspective.
20. that the institution will suffer.
SLE== Asset Value X Exposure Factor
$49000 X 0.99 X 700
=$33,957,000
Annualized Rate of Occurrence (ARO)
This is the projected frequency of a threat happening in a year.
48 computers lost between Apr 2009 and April 2011
Hence 24 computers lost in one year. Hence the threat on a
single laptop or mobile is
24/700=0.034
Annualized Loss Expectancy (ALE)
It is based on the probability of an event occurring. Therefore,
you multiply the annualized rate of occurrence (ARO) by Loss
of Expectancy (SLE)
ALE =SLE X ARO
ALE=$33,957,000 X 0.034
=US$1,154,538
Safeguard Value
Risk mitigation controls monetary expense. This helps
determine the financial feasibility and effectiveness. The
assumption is that all the proposed risk control measures are
implemented correctly.
Safeguard value is based on the hardware and software cost that
you invest in protecting your information in case of software
theft.
Software solutions
Altiris Manageability toolkit is available hardware per every
node is US$18
https://www.marketscreener.com/ALTIRIS-8486/news/Altiris-
Altiris-Ships-New-Toolkit-to-Sucnet.com/products/altiris-
manageability-toolkit-for-intel-vpro-technology-essential-
support-renewal-series/pport-Intel-vPro-1-Technology-for-
Efficient-IT-Service-Man-273906/?iCStream=1
$ 18 X700
=12600
Support license for the network
21. 12600+$80000
Cost of software USD92,600
Value of Safeguard=ALE before the implementation of
safeguard-ALE after safeguard -Annual cost of protection.
Sheet1CategoryProbability(0.0-1.0)Impact(0-100)Risk
Level(PXI)Description1Zombles0.02901.8Zombie Apocalypse
causes wide spread panic and physical security threats to staff,
property and business operations2Natural Disaster0.12607.2the
location of business may expose it to particular national
disasters. This may be long term or short term. Rains may
inturupt power supply. 3Threat of Breach from consumer
error0.43012Consumer may expose the system or account by
commission or ommission. This puts own data and others data at
risk. 4Breach Through Vendor Network0.454520.25A threat
from the faults of the service providers security system may
expose the data to threat. 5Malware0.87560Malwares will
mostly be sent through other communication or may be brought
. They pause the threat of data exposure6Inside
Misuse0.78559.5Employees handle a lot of company data and
can be threat to the organisation by sharing it or even exposing
it accidentally7Fringe Threat0.88568The risks includes fires,
electrical failure, physical theft, attack by mob from office. The
impact of threat varies