Case study scenario: Moving Fast Supplies
Moving Fast Supplies (MFS) is a company that designs and manufactures equipment for use in logistics industries. MFS prides itself in the development of products that use the latest technology and knowledge of the logistics industry to provide products that lead the way in the delivery of goods throughout the supply chain. Most of their products require custom installations, but these installations are largely implemented by configuration options available within their product lines. They sell their products to large logistics organisations and manufacturers through their own branch offices that are located across the globe. Some of the products they manufacture must be installed and serviced by specialist technicians. MFS branch offices provide three major functions for their customers: sales and consultancy; trained service and support professionals; and training staff. Many small common items are kept in stock at branch locations for service requirements, but some products are shipped to directly to customers on an as needed basis due to the customization required to match different installations. An online portal allows branches and retailers to order equipment and arrange installation dates, time, and location. A key part of MFS is the design and testing of their products. Care must be taken with products in development that the information is retained within the company and laws relating to copyright (e.g. software for electronic equipment), patents (physical equipment) and trade secrets as well as not releasing important commercial information (eg product release dates and quantities). Design, development, and testing is coordinated through the Central Office in Melbourne. The final products are assembled through contracts with several manufacturers located in Viet Nam, India and Indonesia.
The Central Office in Melbourne has three main divisions: Research; Design and Development; Manufacturing; and Sales and Installation. Support departments include Finance, Payroll, and Accounts, ICT, and Human Resources. Support and oversight for branches is largely provided by the relevant areas of the business, however since international branches must conform to local regulations, many of their functions are set up according to local laws. Branches must have their own ICT systems that support local requirements. Online product and support information is provided through services hosted at the Central Office. The Melbourne Branch has 400 employees. There is a sales branch in global area: Europe, South America, Asia, North America and Oceana. Branches generally have 100 employees consisting of managers, installers, service personnel, ICT assistants, and installation assistants. Various managers include: an installation manager; an accounts and finance manager; a sales manager.
Product manufacturing is coordinated through the Melbourne Central Office with the various manufactures. Final installation of products requires coordination between the customer, branch sales and installation services and the Melbourne Central Office. This coordination is supported by the Production Planning Software hosted in Melbourne. This provides for speedy implementation of product installation from the quotation stage through to final implementation of products and training of staff. This Production Planning Software assists with production planning including the purchasing of production supplies, stock control, manufacturing schedules, shipping arrangements, installation support, implementation testing and training of customer staff.
Research and development use specialist applications for developing products. This includes applications including software development tools, hardware design tools, CAD design tools and applications necessary for administration. The Sales of billing for products sold products is supported SafeTrans Software. It provides for sales invoicing, and accepting payments of clients. Invoicing is usually coordinated with the installation software. Key triggers include delivery of products, installation completion, testing and product approval, and training completion. Payroll is handled by a separate system: MyPayrol is used across the organisation, but each branch has its own locally supported version that conforms to local requirements. All branches can interact with these major systems through the internet. MFS uses many other common application programs: email, word processing, spreadsheets, etc. ICT has the responsibility of organising and implementing the network, server and computing facilities as well as maintaining the applications in use in the Melbourne Branch as well as the Sales Branches. Each of the divisions has their own internal servers and subdomain which are part of MFS’s intranet which connects to all branches and departments. All external traffic is routed through the main branch systems.
MFS has only recently identified a need for a more formal approach to securing their ICT systems, though there are currently some elements implemented in an ad hoc fashion (firewalls, virus and malware protection, user access controls which are overseen by the ICT technical staff. MFS have contracted your consulting service, Secure Security Services (SSS), to provide a report outlining the need for a Security Management Program, its purpose, and a suggested framework for the development of a security management program that oversees security concerns across their business.
As an employee of SSS, you have been asked to develop a report that presents the needs and requirements to implement an ICT Security Program for MFS. This plan should discuss how information security could be better managed by developing a Security Management Program and provide an overview of how to develop such a program. This would include identifying the tasks and roles that need to be assigned for the development and implementation of a Security Management Program. The policy development and the need for a risk management program. Specifically, they have asked for an explanation of benefits of a risk management plan, the steps for creating a risk management plan, a description of risk assessment process. To meet the client’s request, you need to do the following: Document contents A discussion of the types of policies needed for information security. A discussion on what policy documents should look like.
Explanation of benefits and purpose of a risk assessment.
Description of risk assessment process.
Outline the steps for creating a risk management plan.
A set of asset and risk priorities using the tables below Identification of Assets. (One asset from each of the different categories: people, process, hardware and software). Identification of threats/vulnerabilities. (One threat from each of the different categories: Internal, external, deliberate, and accidental). Priorities determined, Preliminary impact of risks Suggest controls for the items in the last table. To assist with their understanding of risk assessment and management you have decided to consider 4 assets and 4 threats to be used to complete the tables below. To effectively demonstrate your skill, the tables would need to include examples of assets from different categories: people, process, hardware and software. Threats should also include examples from different categories: Internal, external, deliberate, and accidental.
