Case Study: Upward Bound Airlines1
Using COBIT® 5
Information Security
Information at its very base is what is important to any person or enterprise. Protecting and ensuring its
completeness and validity and access to that data is the point where the word ‘security’ comes in.
How does it benefit an enterprise?
It is an organizational practice that ensures that information (data) is protected from unauthorized use,
modifications, access and destruction and is available at all times to the right people. The triad of
confidentiality, integrity and availability (CIA) is a basic principle of information security. This ensures
that only authorized users have the required permissions to use information at all times.
Enterprises need to safeguard and control the use of their information including their customers’
confidential information and prevent malicious attacks from unauthorized users or software.
In the absence of effective information security, enterprises may suffer heavy financial losses and
damage to their reputations.
How does it benefit an information security professional?
An information security professional needs to be able to assess and provide informational security
controls to ensure information confidentiality, availability and accessibility.
Upward Bound Airlines – Profile
International airline, founded in 1980, serving 31 cities; 16 in the US, two in Canada, two in Mexico and
11 in Europe.
International headquarters in Chicago, Illinois, USA; with a small office at each airport and five regional
offices
Has approximately 9,000 employees and a few hundred long-term contractors
Background – What We Do
•
1
Financed, for the most part, by investment banks, it has grown from a small, ‘hometown’ airline
into a profitable international carrier. The ‘secret sauce’ for Upward Bound is efficiency of
operations.
Copyrighted by ISACA.
1
•
•
•
•
•
All airplanes are the same basic model and version, and this airline has spare parts for airplanes
at every airport out of which it operates. These two key factors have led to the lowest time per
repair in the industry.
Additionally, ground operations, including maintenance, baggage handling, fueling, etc., are
extremely efficient, leading to, amongst other things, the best on-time record in the industry.
At the same time, though, Upward Bound has been squeezed by the high cost of aviation fuel
and, unfortunately, the standard model of airplane that this company uses is not particularly
fuel efficient.
The jet fleet is aging—the average age of an Upward Bound airplane is 12 years—and the vice
president (VP) of ground and flight operations is pushing the idea of buying a new jet fleet.
Doing so will drain the company of its cash reserves, but the high cost of aviation fuel combined
with the age of the jet fleet make starting to replace jets soon inevitable. Upward Bound is
bracing for the anticipated cash crunch by putting austere cost-saving measures in place:
₋ Reducing the workforce—up to 20 percent of employees will be terminated by the end
of the year
₋ Outsourcing most IT operations by moving to cloud computing services
Background – Financial
•
•
•
Publicly owned company
Last year the gross revenue was US $296 million and profit was US $19 million
Debt amounts to US $110 million
Background – Org. Structure
2
The board of directors:
•
Consists of highly qualified professionals made up of CEOs and chief operations officers (COOs)
of prominent corporations within the transportation industry
•
Has one member who was the former US Secretary of Transportation
•
Is very active and meets at least every month
•
Sometimes has additional meetings to cover urgent issues (budget issues, in particular) that
cannot wait until the next board meeting
The CEO:
•
Is Sara Robbins, for the past seven years
•
Is, above all else, a true visionary
•
Has initiated many of the operational improvements
•
Is a reasonable person who will take calculated risks to fatten the bottom line
Background – Departments
•
The company consists of departments which are assigned one or more major functions. For
example, some of the departments are:
₋
₋
₋
₋
•
Business operations
Ground and flight operations
External relations (public relations [PR]/customer relations)
Administration (legal, human resources [HR], regulatory compliance)
IT reports to the chief information officer (CIO) and has a staff of 120 employees who, for the
most part, are technical. Most of this staff will be gone by the end of the year due to the move
to cloud services.
Background – Industry
•
Competition for passengers and freight shipping within the airline industry is tough.
•
Upward Bound Airlines competes well by passing on the savings from its efficient operations to
customers, thereby offering attractive prices on most tickets.
•
The airline’s marketing efforts are average; it could be more competitive if it increased its
marketing efforts.
•
With the coming cash crunch, though, the company cannot afford to invest more money in
marketing at this time.
3
Background – Marketing
•
Upward Bound Airlines relies heavily on marketing to boost its sales.
•
Its marketing budget is one of the biggest line items.
•
Its marketing staff consists of many marketing-savvy individuals.
•
The main message that the marketing organization tries to get across is the airline’s efficiency
and reliability and the advantages these hallmarks of the airline offer to busy passengers.
The Problem
•
The cash crunch that Upward Bound Airlines will almost certainly experience in the near future
will cause repercussions in the company’s information security practice.
•
The CEO has told you to expect to lose at least one of your team members by the end of the
year, but this is only a minor problem compared to the advent of cloud services.
•
You have been informed that much of the IT infrastructure will be scrapped in favor of cloud
services. For example, all mail servers are going to be taken out of service, their hard drives will
be erased and they will all be sold on eBay® by the end of the year.
•
Google will provide all mail services instead.
•
The same is true of business applications— software as a service (SaaS) provider Zoho will
provide all business applications.
•
All corporate web servers will be hosted by Amazon.
You need to modify the security architecture that you and your staff developed less than one year
ago to make it appropriate for the massive changes in the IT infrastructure that are about to occur.
The existing security architecture contains the following elements:
•
Policy and security standards that cover all major types of computing and network
technologies
•
Screening routers, stateful firewalls and a virus wall at each exterior gateway
•
Spam filter and antivirus software on each mail server
•
Network-based intrusion detection in each of Upward Bound’s six networks and sensors
distributed within each network
•
Endpoint security (antivirus plus antispyware plus personal firewall) on each Windows ®
workstation
4
The decisions concerning the modified security architecture will be made by you and your team
members, one of whom is the security architect.
The change control board led by the CIO must approve any proposed changes before they go into
effect.
Your Role
•
You are the chief information security officer (CISO) of the airline and are based at the Chicago
headquarters. You report to the chief executive officer (CEO) and attend the weekly senior
management meeting. You have been with the company for slightly more than 10 years.
•
The Information Security Department has four full-time information security staff members, all
of whom report directly to you and are based at the Chicago headquarters.
Short biography:
•
Are a seasoned veteran
•
Have been in some kind of information security management position for nearly 20 years, with
the majority of the time in a CISO position
•
Were grandfathered as a Certified Information Security Manager® (CISM®) in 2002 and hold a
bachelor’s degree in IT and a master’s degree in business administration (MBA)
•
Hold CISSP certifications and COBIT 5 foundation certificate
The Business Need
B2C Project
•
With the growing need to cut costs and provide swift client services, the CIO is charged with
transforming the business using Internet technology in business-to-consumer (B2C)
relationships.
•
The B2C web site, the business and the information systems should be coupled tightly to
achieve the business benefits and fast client service.
Note: Therefore, a review of B2C e-commerce should, in general, address the business risk as well as the
IS risk.
The B2C e-commerce model, should cover these broad e-commerce activities:
•
•
Informational (public)—Making information regarding the enterprise and its products available
on the Internet for whoever wants to access the information
Customer self-service (informational)—Making information, such as products/services and
prices, available on the Internet for customers
5
•
•
•
•
•
Customer self-service (transactional other than payments)—In addition to making information
available on the Internet, accepting customer transactions, such as orders and cancellations,
through the Internet, but payments are handled through conventional means
Customer self-service (payments)—Accepting customer transactions including payments
through the Internet
Customer reporting—Providing reports, such as statement of accounts and order status, to
customers online
Interactive self-service—Providing interactive responses through emails for requests/queries
logged through a web site
Direct selling—Selling products and services directly to prospective buyers through the Internet
Cloud Project
There is a need to revise to the existing security architecture to the cloud option.
To do so, you need to:
•
•
•
Understand not only what elements and functions within the IT arena are moving to the cloud,
but also what will remain after the IT infrastructure is gutted.
Learn from each cloud provider which controls can be put in place for data in motion and data at
rest in the cloud and for networking in the cloud.
Determine when a cloud service provider cannot provide a control that you need, the types of
compensatory controls that should be implemented.
(Hint: Amazon cloud services can include a wide variety of controls—just about the same as you currently
have in your network. You just have to pay as you go—the more controls, the greater the charge for
cloud services.)
Rationale
•
•
•
•
The rationale for each architecture change that you decide on must include a discussion of the
pros and cons associated with the change or proposed change.
For instance, you may decide to scrap the application firewalls that used to be in front of each
web farm and, instead, work with your IT and contracts departments to ensure that application
firewalling is built into your service level agreement (SLA) with Amazon.
For enterprises where security is a low priority, security provided by a trustworthy cloud vendor
may be a substantial enhancement.
As with any outsourcing, failure of the vendor can cause the enterprise to be without a
connection to its vital resources. Although this is improbable, it is possible and should be
considered.
Pros and Cons
Pros:
6
•
May be that this could be the only way to protect your now cloud-hosted applications and
that there may also be a cost savings because of outsourcing maintenance.
Cons:
•
•
Your company will not be able to directly control the application firewalls, something
that may substantially increase residual risk associated with web operations.
Business continuity planning (BCP) and operations need to start at step one once your
company’s web servers are hosted by a cloud services provider.
Exhibit – Network Architecture
Exhibit – Template for Change Pros/Cons
7
Notes:
•
•
•
•
•
•
•
•
•
•
•
•
•
Two groups that have offered a baseline of definitions (for cloud computing) are the National
Institute of Standards and Technology (NIST) and the Cloud Security Alliance.
They both define cloud computing as a model for enabling convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks, servers, storage,
applications and services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction.
Another way to describe services offered in the cloud is to liken them to that of a utility. Just as
enterprises pay for the electricity, gas and water they use, they now have the option of paying
for IT services on a consumption basis.
Three major types of cloud services currently exist:
Software as a service (SaaS)—Capability to use the provider’s applications running on cloud
infrastructure. The applications are accessible from various client devices through a thin client
interface such as a web browser (e.g., web-based email).
Infrastructure as a service (IaaS)—Capability to provision processing, storage, networks and
other fundamental computing resources, offering the customer the ability to deploy and run
arbitrary software, which can include operating systems and applications. IaaS puts these IT
operations into the hands of a third party.
Platform as a service (PaaS)—Capability to deploy onto the cloud infrastructure customercreated or acquired applications created using programming languages and tools supported by
the provider.
In the Upward Bound Airlines scenario, in moving its IT operations to the cloud, this company is,
in effect, outsourcing these operations (including web-hosting services) using one or more IaaS
providers.
From a security risk management perspective, this means that many of the mainstay network
security controls that Upward Bound’s information security practice has used for years are no
longer likely to be relevant.
No longer will relevant controls need to be phased out over time; new, cloud-based controls
need to be phased into a revised security architecture.
For instance, as Upward Bound moves to the cloud, externally originated attacks against hosts
within Upward Bound’s networks are not likely to comprise as great a level of risk as before.
Externally originated attacks against Upward Bound applications, databases and web servers in
the cloud will, in contrast, comprise major risk. Mitigating this risk will be more difficult because
Upward Bound cannot directly control what happens in the cloud.
If Upward Bound management is wise, security controls should be included in its statement of
work (SOW) or service level agreement (SLA) with the cloud provider.
So instead of having a screening router, stateful firewall and virus wall at the gateway to its
internal network, Upward Bound may instead want to contract for gateway-based filtering of
network traffic at the entrance to Upward Bound’s cloud space.
8
•
Note that Upward Bound has a very strong operations orientation. Any risks and related control
measures that can potentially disrupt operations are, thus, an especially important.
consideration.
COBIT 5
Some sections of COBIT 5 may also be helpful in determining your best course of action:
•
•
•
•
•
•
•
•
•
•
APO03 Manage enterprise architecture.
APO04 Manage innovation.
APO08 Manage relationships.
APO12 Manage risk.
APO13 Manage security.
BAI05 Manage organisational change enablement.
DSS04 Manage continuity.
DSS05 Manage security services.
MEA02 Monitor, evaluate and assess the system of internal control.
MEA03 Monitor, evaluate and assess compliance with external requirements.
Your Tasks:
1. Identify the key information criteria for the B2C project.
2. Provide some sample concerns of controls for the B2C project.
3. Analyze what appropriate architectural changes of controls and security would be for the
cloud project.
4. Briefly discuss how the organizational policies and standards must be modified to adjust for
the new cloud strategy.
9
Purchase answer to see full
attachment